BLACKMOON
THREAT CAMPAIGN: BLACKMOON MALWARE WITH DLL SIDE-LOADING AND UAC BYPASS
In early December 2025, researchers identified an ongoing campaign deploying a sophisticated, multi-stage backdoor for the likely purpose of long-term espionage.
The campaign targets residents of India with phishing emails that impersonate the Income Tax Department of India, luring victims into downloading a malicious archive. The threat actor's primary objective is to gain persistent, elevated access to the victim's machine for continuous monitoring of user activities, file operations, and exfiltration of sensitive information.
The infection chain demonstrates a high level of sophistication, beginning with a DLL side-loading technique where a legitimate, signed Microsoft application is used to load a malicious DLL. This initial loader is equipped with extensive anti-debugging and anti-analysis checks to thwart inspection.
Upon successfully passing these checks, the malware contacts a C2 server to download a packed shellcode. This second stage unpacks itself in memory and employs two key methods for privilege escalation and defense evasion:
■ UAC Bypass: It uses a well-known, file-less COM-based technique to bypass the UAC prompt, silently gaining administrative privileges.
■ Process Masquerading: It modifies its own PEB to masquerade as the legitimate Windows explorer.exe process, making it difficult to spot in process monitoring tools.
A key feature of this malware is its specific targeting of Avast Free Antivirus. The unpacked DLL is identified as a variant of the Blackmoon malware family. When Avast is detected, the malware uses automated mouse simulation to navigate Avast's interface and add malicious files to the antivirus exclusion list, effectively whitelisting them to bypass detection.
The next stage of the attack deploys a custom toolkit that establishes permanent access. This toolkit uses a collection of batch scripts to weaken system security and installs a core component as a Windows service, configuring it to run even in Safe Mode. This ensures the backdoor remains active and resilient, allowing the threat actor to conduct spying activities undetected.
The final stage of the attack deploys the SyncFuture TSM. While marketed as a legitimate enterprise tool, it is repurposed in this campaign as a powerful, all-in-one espionage framework. By deploying this system as their final payload, the threat actors establish resilient persistence and gain a rich feature set to monitor victim activity and centrally manage the theft of sensitive information.
Source: eSentire
All threat research, exploit analysis, and adversary technique assessments discussed in this article have been conducted in isolated, air-gapped laboratory environments with proper authorization and security controls.