Recent Cases of Watering Hole Attacks, Part 2

This report analyzes a 2023 watering-hole attack against a media website in which visitors were tricked into downloading an LZH archive that contained an LNK which executed a Base64-encoded ZIP; the payload used DLL sideloading to deploy SQRoot (dmiapi32.dll) with plugin-based RAT and stealer modules, communicated with C2 domains (e.g., dict.digibulk.live) using ChaCha20/RC4 encryption and time-restricted check-ins, and includes IOCs (domains, IP, and multiple file hashes) and a command list; attribution is unknown though some filenames overlap with past APT10 activity.