SADBRIDGE
SADBRIDGE is a custom Windows malware loader documented by Elastic Security Labs in intrusion set REF3864. It has been used in campaigns targeting Chinese-speaking users via trojanized installers masquerading as legitimate software such as Telegram and Opera GX, commonly delivered in ZIP archives containing malicious MSI packages. The infection chain abuses DLL side-loading, including use of x64dbg.exe to load a patched x64bridge.dll, which launches a renamed MonitoringHost.exe as DevQueryBroker.exe to side-load HealthServiceRuntime.dll. SADBRIDGE stores an encrypted configuration at C:\Users\Public\Documents<hostname_hash>\edbtmp.log with hidden, system, and read-only attributes, uses subtraction-by-0x1 for configuration obfuscation, and uses XOR plus LZNT1 decompression for encrypted stage files with .log extensions.
SADBRIDGE deploys a Golang-based reimplementation of the QUASAR RAT called GOSAR. It uses multiple defense-evasion and privilege-escalation techniques, including long Sleep calls for sandbox evasion, AMSI patching of AmsiScanBuffer and AmsiOpenSession, ETW patching of EtwEventWrite, UAC bypass via the ICMLuaUtil COM interface, and execution with SYSTEM privileges via Task Scheduler and the IElevatedFactorySever COM object. Persistence is achieved through Windows service creation, registry modifications, and scheduled tasks. For code execution and stealth, SADBRIDGE uses process injection techniques including PoolParty Variant 7, APC queues, and token manipulation; reporting cited in the content describes SADBRIDGE as the only other observed malware family using PoolParty Variant 7.
The final GOSAR payload is injected into svchost.exe for logged-in sessions and dllhost.exe for service or no-user sessions. The malware checks for Chinese AV-related artifacts such as 360tray.exe and uses Chinese-language logging and Chinese firewall-rule text, which researchers assessed as indicating both operators and intended victims are likely Chinese-speaking. Related operations were assessed as active since at least December 2023 based on extracted configuration data.
Associated observables directly mentioned in the content include landing-page domains opera-x[.]net and teledown-cn[.]com; GOSAR C2 domains ferp.googledns[.]io, hk-dns.secssl[.]com, hk-dns.winsiked[.]com, hk-dns.wkossclsaleklddeff[.]is, and hk-dns.wkossclsaleklddeff[.]io; and SHA-256 hashes 15af8c34e25268b79022d3434aa4b823ad9d34f3efc6a8124ecf0276700ecc39 for NetFxRepairTools.msi, accd651f58dd3f7eaaa06df051e4c09d2edac67bb046a2dcb262aa6db4291de7 for x64bridge.dll, and 7964a9f1732911e9e9b9e05cd7e997b0e4e2e14709490a1b657673011bc54210 for GOSAR.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Persistence
2 techniques
Persistence
Privilege Escalation
6 techniques
Privilege Escalation
SADBRIDGE integrates a public UAC bypass technique using the IElevatedFactorySever COM object to indirectly create the scheduled task. This task is configured to run DevQueryBroker.exe on a daily basis with SYSTEM level privileges.
SADBRIDGE employs PoolParty, APC queues, and token manipulation techniques for process injection.
the encrypted shellcode ... is decrypted ... and APC injection is used to queue the shellcode for execution in the newly created process’s thread.
If a session ID is available, the code attempts to duplicate the user token for that session and elevate the duplicated token's integrity level to S-1-16-12288 (System integrity).
Stealth
6 techniques
Stealth
The SADBRIDGE configuration is encrypted using a simple subtraction of 0x1 on each byte of the configuration string. The encrypted stages are all appended with a .log extension, and decrypted during runtime using XOR and the LZNT1 decompression algorithm.
These organized campaigns target victims by masquerading as legitimate software such as web browsers or social media messaging services.
SADBRIDGE employs PoolParty, APC queues, and token manipulation techniques for process injection.
the encrypted shellcode ... is decrypted ... and APC injection is used to queue the shellcode for execution in the newly created process’s thread.
Discovery
2 techniques
Discovery
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware family noted for also using the rare PoolParty Variant 7 process injection technique; mentioned as similar to ValleyRat, suggesting shared tooling or evolution within the same ecosystem.
Custom Windows malware loader delivered via trojanized MSI installers. It uses DLL side-loading, shellcode decryption, process injection, AMSI/ETW patching, UAC bypass via ICMLuaUtil, Task Scheduler abuse, and service/registry persistence to ultimately inject and launch GOSAR.
Referenced as another malware family observed using the uncommon PoolParty Variant 7 process-injection technique; used for comparative attribution to the fake installer activity.
Malware family noted for using the uncommon PoolParty Variant 7 process-injection technique; cited as the only other known user of this method, suggesting possible developer/actor overlap with the fake-installer malware described.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.