The Curious Case of the Comburglar

Black Hills Infosec (BHIS) uncovered a stealthy, long-lived intrusion technique (tracked as UKC-1230) where an attacker modified Windows User_Feed_Synchronization scheduled tasks to use a ComHandler that invoked malicious GUID-named surrogate DLLs (run by dllhost.exe) to maintain C2. The DLLs shared an imphash (c4f69d93...) while having unique file hashes, complicating file‑hash hunting; BHIS provides IOCs (domains, IPs, SHA256s), YARA and Sigma detection examples, and hunting guidance, noting persistence of at least seven months and related artifacts observed in the wild.