The cybersecurity landscape continues to evolve rapidly, with threat actors deploying increasingly sophisticated malware frameworks designed for stealth, persistence, and large-scale data exfiltration. A recent investigation by the Howler Cell threat research team highlights a highly coordinated, multi-stage intrusion chain featuring two newly identified malware families: Direct-Sys Loader and CGrabber Stealer.
This blog breaks down the technical architecture, attack flow, and broader implications of this campaign in a clear, structured manner suitable for security professionals and tech enthusiasts alike.
Attack Overview: From Delivery to Data Theft
The infection chain begins with seemingly harmless ZIP archives hosted via GitHub’s user attachment infrastructure. These archives contain a mix of legitimate and malicious files, cleverly designed to exploit trust in signed binaries.
A key component of the attack is the abuse of a legitimate Microsoft-signed executable, Launcher_x64.exe, which is used for DLL sideloading. The malicious payload is embedded in a disguised DLL file named msys-crypto-3.dll. Once executed, this DLL hijacks the normal execution flow and initiates the malware chain.
Stage 1: Direct-Sys Loader – Stealth at Its Core
The Direct-Sys Loader is the first active stage and is engineered with advanced evasion techniques. Its primary goal is to prepare the environment and execute the next-stage payload without detection.
Key Capabilities:
- ChaCha20 Encryption: Used for decrypting internal strings and payloads.
- Direct Syscalls: Bypasses traditional API monitoring by interacting directly with the Windows kernel.
- Anti-Analysis Techniques:
- Checks for specific files (e.g.,
12345.txt) - Scans for over 60 debugging and analysis tools
- Detects virtual environments via display device fingerprints
- Checks for specific files (e.g.,
Only after confirming it is running in a legitimate user environment does the loader proceed to decrypt and execute the embedded shellcode.
Stage 2 & 3: Shellcode and APC Injection
The second stage introduces shellcode that dynamically resolves critical Windows APIs by parsing internal structures like the Process Environment Block (PEB). It also patches security mechanisms such as:
- AMSI (Antimalware Scan Interface)
- ETW (Event Tracing for Windows)
This effectively blinds many endpoint detection systems.
Stage 3 escalates the attack by injecting malicious code into a legitimate process, Dllhost.exe, using APC (Asynchronous Procedure Call) injection. This technique further obscures malicious activity under the guise of trusted system processes.
Stage 4: Reflective Loading
The malware continues its in-memory execution strategy by decompressing and loading the next-stage payload without touching disk. This reflective loading approach minimizes forensic traces and evades traditional antivirus detection.
Stage 5: CGrabber Stealer – The Data Exfiltration Engine
The final stage introduces CGrabber, a powerful information stealer designed for maximum data extraction.
What It Collects:
- System Information: Machine GUID, hardware specs, OS details
- Process Enumeration: Active processes and security tools
- Browser Data: Passwords, cookies, credit cards, history
- Crypto Assets: Wallet files, private keys, extensions
- Credentials: VPN, FTP, SSH, email, and password managers
- Application Data: Messaging apps, gaming platforms, and more
CGrabber also implements:
- CIS Region Exclusion: Avoids execution in specific geographic regions
- Mutex Control: Prevents duplicate infections
- Encrypted Communication: Uses ChaCha20 + HMAC-SHA256 for secure data transmission
All stolen data is compressed into an in-memory ZIP archive and sent to command-and-control (C2) servers via structured HTTP POST requests with custom headers.
Advanced Evasion and Operational Maturity
What sets this campaign apart is the consistency and sophistication across all stages:
- Shared cryptographic routines between loader and stealer
- Multi-layered sandbox detection
- Fileless execution techniques
- Structured C2 communication with session management
Additionally, the reuse of identical placeholder web pages across multiple C2 domains suggests a deliberate effort to reduce infrastructure fingerprinting while enabling scalable operations.
Defensive Considerations
Organizations should adapt their defense strategies to counter such advanced threats. Key recommendations include:
- Monitoring for DLL sideloading behavior
- Detecting direct syscall usage patterns
- Identifying in-memory AMSI/ETW patching
- Inspecting anomalous outbound POST traffic with custom headers
- Leveraging behavioral and memory-based detection tools
Traditional signature-based defenses alone are insufficient against such modular and stealth-focused malware.
Our Perspective on This Threat
This campaign reflects a significant evolution in modern cybercrime tooling, blending stealth, scalability, and precision targeting. The integration of Direct-Sys Loader and CGrabber demonstrates not just technical sophistication, but also a clear understanding of how enterprise defenses operate—and how to bypass them effectively.
What stands out most is the deliberate avoidance of noisy behaviors. By relying on direct syscalls, in-memory execution, and legitimate binaries, the attackers reduce their visibility across multiple detection layers. This is not opportunistic malware; it is engineered for persistence and long-term data harvesting.
The CIS region exclusion further suggests an organized threat actor with geopolitical awareness, reinforcing the likelihood of a financially motivated group operating with discipline and strategic intent.
From a defensive standpoint, this case underscores a critical shift: security teams must move beyond static detection and embrace behavioral analytics, threat hunting, and memory forensics. The ability to detect what should not happen—rather than what is already known—is becoming essential.
Ultimately, this threat is a reminder that cybersecurity is no longer about perimeter defense. It is about visibility, adaptability, and anticipating attacker behavior before damage is done.
