LevelBlue threat researchers discover new “SquidLoader” malware, with advanced techniques to evade debuggers and static analysis, using Cobalt Strike as a final payload

LevelBlue, a leading provider of managed security services, strategic consulting, and threat intelligence, today released new research from LevelBlue Labs, the company’s global team of threat researchers and data scientists who regularly analyze one of the largest collections of threat data in the world.

LevelBlue Labs discovered a new malware loader, dubbed “SquidLoader,” delivered via phishing attachments. The campaign was first observed in late April 2024, when the team uncovered SquidLoader using several advanced techniques to avoid being statically or dynamically analyzed for at least a month. The final payload is a Cobalt Strike sample, and based on its configuration, LevelBlue Labs assessed that this same threat actor has been mainly targeting Chinese-speaking victims sporadically over the past two years.

“The SquidLoader sample makes a clear effort to avoid detection, as well as static and dynamic analysis,” said Fernando Dominguez, Principal Security Researcher at LevelBlue Labs. “We do not have enough findings to classify this threat actor as an advanced persistent threat (APT), but the techniques being observed by SquidLoader are those that are typically used by a persistent APT.”

To protect from SquidLoader, organizations are advised to use increased vigilance against phishing attempts, including not opening attachments or clicking links from untrusted senders. They should always check that a sender is trusted, who they say they are, and that the communication is expected, especially if there is an attachment in the correspondence.

LevelBlue Labs delivers continuous, tactical threat intelligence that powers LevelBlue’s USM Anywhere platform, helping to better inform cybersecurity teams and fortify their organizations’ defenses against the latest threats. LevelBlue threat researchers have unrivaled visibility into the global threat landscape through insight from analysts at four global Security Operations Center locations and three global Network Operation Centers operated 24 hours per day and 365 days per year.

“LevelBlue Labs’ latest research is yet another example of our team providing the most timely and tactical threat intelligence on the market today,” said Sundhar Annamalai, President of LevelBlue. “Our continuously updated, integrated threat intelligence helps cybersecurity teams quickly prioritize and address the most critical threats targeting their business – ultimately minimizing noise, false alarms and burnout.”

For more information on SquidLoader, please read the full technical blog here. For more details on LevelBlue Labs and how your organization can be empowered by the team’s threat intelligence, please click here.

About LevelBlue

We simplify cybersecurity through award-winning managed services, experienced strategic consulting, threat intelligence and renowned research. Our team is a seamless extension of yours, providing transparency and visibility into security posture and continuously working to strengthen it.

We harness security data from numerous sources and enrich it with artificial intelligence to deliver real-time threat intelligence, which enables more accurate and precise decision making. With a large, always-on global presence, LevelBlue sets the standard for cybersecurity today and tomorrow. We easily and effectively manage risk, so you can focus on your business

Welcome to LevelBlue. Cybersecurity. Simplified. Learn more at www.levelblue.com.

Media Contact Jessica Bettencourt Inkhouse for LevelBlue LevelBlue@inkhouse.com (774) 451-5142