Hypnosis Loader
Hypnosis Loader is a novel DLL loader observed by Palo Alto Networks Unit 42 in a 2025 cyberespionage campaign targeting a government organization in Southeast Asia. It was used by activity cluster CL-STA-1049, which overlaps with the publicly tracked China-aligned group Unfading Sea Haze. The malware was deployed through DLL sideloading or DLL proxy sideloading, including abuse of a legitimate Bitdefender executable (seccenter.exe) loading a malicious version.dll from C:\Program Files\Common Files\Bitdefender\SetupInformation\version.dll. Its role in the intrusion was to stealthily install or deploy FluffyGh0st RAT as a follow-on payload. Unit 42 reported this loader as a stealthy, newly identified component in a broader operation involving multiple China-linked clusters seeking long-term persistent access to sensitive government networks and data exfiltration. High-confidence related indicators mentioned in the reporting include the malicious version.dll SHA256 9d7c8d3bc4ac108fb2602424a1f4918c051c2443f0526bbb2c970c8e57dbd90d, and an assessed final payload bdusersy.dll that communicated with webmail.rpcthai[.]com and was plausibly FluffyGh0st.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Attackers deployed numerous malware families, including HIUPAN, PUBLOAD, EggStremeFuel, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st.
Attackers deployed numerous malware families, including HIUPAN, PUBLOAD, EggStremeFuel, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st.
Attackers deployed numerous malware families, including HIUPAN, PUBLOAD, EggStremeFuel, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st.
Cluster CL-STA-1049 used a stealthy “Hypnosis” DLL loader to deploy FluffyGh0st RAT via DLL sideloading with a legitimate Bitdefender executable.
Cluster CL-STA-1049 used a stealthy “Hypnosis” DLL loader to deploy FluffyGh0st RAT via DLL sideloading with a legitimate Bitdefender executable.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueThese alerts highlighted a DLL sideloading attack that used a legitimate Bitdefender executable, seccenter.exe.
Privilege Escalation
1 techniqueStealth
2 techniquesThe loader injects itself, maintains execution, decrypts, and loads the final payload
ClaimLoader then uses an XOR key to decrypt an embedded shellcode payload and executes the shellcode... After patching the DLL's host process, Hypnosis loader creates a new thread to decrypt the name of the final payload (bdusersy.dll) with an RC4 key.
Command and Control
1 techniqueThe base domain rpcthai[.]com appears to be used for the website of a legitimate Thai-based company, which implies that attackers hijacked the domain and created webmail.rpcthai[.]com to act as a C2 server.
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Loader malware used in the campaign as part of a multi-payload strategy to deploy or support additional malicious components.
A stealthy DLL loader used to deploy FluffyGh0st RAT via DLL sideloading, maintaining execution and decrypting/loading the final payload.
Novel DLL loader launched via DLL side-loading to install FluffyGh0st RAT.
Novel DLL sideloading loader that proxies exports to a legitimate version.dll, patches the host process entry point to keep the process alive, decrypts the final payload name with RC4, and loads the payload via LoadLibrary.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.