DPAPILoader

In one observed intrusion, the malware was deployed as C:\Windows\System32\Iassvc.dll under a malicious Windows service masquerading as the legitimate Internet Authentication Service (IAS). The malware abuses Windows service infrastructure to establish persistence through svchost.exe while imitating legitimate Windows components.

In one observed intrusion, the malware was deployed as C:\Windows\System32\Iassvc.dll under a malicious Windows service masquerading as the legitimate Internet Authentication Service (IAS). The malware abuses Windows service infrastructure to establish persistence through svchost.exe while imitating legitimate Windows components.

After DPAPI decryption, the payload is additionally XORed with 0x8D before loading. This is consistent across all observed DPAPILoader samples.

Researchers noted the malicious DLL intentionally mimicked the legitimate iassvcs.dll naming convention, differing by only a single character.

DPAPILoader functions as the first-stage component responsible for decrypting and executing encrypted payloads tied to the victim environment via the Windows Data Protection API (DPAPI)... The malware applies an additional XOR operation using the constant 0x8D after DPAPI decryption, creating a layered protection mechanism.

Researchers identified multiple DPAPILoader variants utilizing different execution methods, including service execution, DLL sideloading via ESET software, and export-based loading through WMI-related functionality.

Meanwhile, the malware checks the host process and loops over specific device metadata paths.

It filters out legitimate Microsoft Cabinet files by checking for the MSCF magic bytes and decrypts remaining files larger than 50 KiB using DPAPI before reflective loading through the open-source libpeconv library.

“DPAPILoader is implemented as a DLL whose purpose is to decrypt and load an encrypted payload from disk using DPAPI.”

Meanwhile, the malware checks the host process and loops over specific device metadata paths.

DPAPILoader uses the Windows Data Protection API (DPAPI) to decrypt its payload... each deployment produces a unique encrypted blob, meaning the payload hash differs across victims and evades hash-based detection.

The attack followed a pattern increasingly common in Lazarus operations, social engineering via Telegram, with operatives posing as employees of a legitimate trading firm, scheduling fake meetings through spoofed Calendly and Picktime domains to gain initial access to a victim’s device.