A sophisticated malware campaign deployed a modular backdoor and multiple malicious components to steal credentials, monitor user activity, and exfiltrate sensitive data from compromised systems.

Who is behind the attack?

The operation is attributed to a threat group referred to as “Subtle Snail.” While the report does not confirm nation-state ties, the group uses advanced stealth and persistence techniques typically associated with targeted cyber-espionage.

What was the goal of the attackers?

The main objectives appear to be data theft and long-term surveillance. This includes stealing credentials, accessing corporate emails, capturing keystrokes, and collecting personal and company files for espionage or criminal purposes.

The report does not list specific victims or industries, but the targeting of Outlook, browser credentials, and system files suggests an interest in corporate, government, or telecom environments.

How did the attack work?

Attackers sideloaded malicious DLLs alongside trusted software to gain initial access, escalated privileges using signed binaries, and deployed modules for credential theft, keylogging, and browser data extraction. All communications were hidden behind cloud-based infrastructure.

Why are these systems attractive to attackers?

Windows-based corporate systems often store valuable credentials, emails, and project data, and their integration with browsers and password managers makes them prime targets for attackers looking to gather intelligence or steal funds.

What should organizations do to protect themselves?

Apply behavioral monitoring for DLL sideloading, monitor credential prompts, inspect outbound HTTP(S) traffic for anomalies, enforce MFA, and train users to avoid phishing or unexpected login prompts.

Is this a widespread issue or more targeted?

This appears to be a targeted campaign, but the techniques used—especially DLL sideloading and credential theft—are applicable to a wide range of victims and could be reused in broader attacks.

Threats Feed|Subtle Snail|Last Updated 11/11/2025|AuthorCertfa Radar|Publish Date17/09/2025

Subtle Snail's MINIBIKE Campaign Uses DLL Sideloading and Azure-Proxied C2

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Keylogger,Trojan
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

Subtle Snail operators deploy the MINIBIKE backdoor via DLL sideloading to gain persistent, high-privilege access. The malware stages in Public Users Documents using CopyFile2 and BITS, enforces single-instance execution with a UUID mutex, and builds a unique USERID from username, hostname, and DLL timestamp for HTTP POST C2 over WinHTTP. Modular components include an LCG-obfuscated keylogger that writes encrypted extended0.log files, a browser stealer that uses a Chrome-App-Bound decryption tool with process hollowing, and a CredUI-based Outlook/Winlogon prompt that saves stolen credentials. Operators use Azure-proxied domains for C2, automated chunked exfiltration, WinRAR archiving, and anti-analysis techniques including control flow flattening and dynamic API resolution. Targeted sectors include telecommunications organizations.

Reference and Credit: Prodaft - September 2025

Modus Operandi of Subtle Snail

Detected Targets

Type	Description	Confidence
Sector	Defense	Verified
Sector	Aerospace	Verified
Sector	Telecommunication	Verified
Region	European Countries	Verified

Extracted IOCs

safrangroup-careers[.]com
telespazio-careers[.]com
group-policy-update.azurewebsites[.]net
verify-publisher.azurewebsites[.]net
petelyudhir@outlook[.]com
943981571f4e095063850c26158835b8
f5dd107eaca971f24effbaf598119ca1

download

Tip: 7 related IOCs (0 IP, 4 domain, 0 URL, 1 email, 2 file hash) to this threat have been found.

FAQs

Subtle Snail Malware Campaign

: A sophisticated malware campaign deployed a modular backdoor and multiple malicious components to steal credentials, monitor user activity, and exfiltrate sensitive data from compromised systems.
: The operation is attributed to a threat group referred to as “Subtle Snail.” While the report does not confirm nation-state ties, the group uses advanced stealth and persistence techniques typically associated with targeted cyber-espionage.
: The main objectives appear to be data theft and long-term surveillance. This includes stealing credentials, accessing corporate emails, capturing keystrokes, and collecting personal and company files for espionage or criminal purposes.
: The report does not list specific victims or industries, but the targeting of Outlook, browser credentials, and system files suggests an interest in corporate, government, or telecom environments.
: Attackers sideloaded malicious DLLs alongside trusted software to gain initial access, escalated privileges using signed binaries, and deployed modules for credential theft, keylogging, and browser data extraction. All communications were hidden behind cloud-based infrastructure.
: Windows-based corporate systems often store valuable credentials, emails, and project data, and their integration with browsers and password managers makes them prime targets for attackers looking to gather intelligence or steal funds.
: Apply behavioral monitoring for DLL sideloading, monitor credential prompts, inspect outbound HTTP(S) traffic for anomalies, enforce MFA, and train users to avoid phishing or unexpected login prompts.
: This appears to be a targeted campaign, but the techniques used—especially DLL sideloading and credential theft—are applicable to a wide range of victims and could be reused in broader attacks.

About Affiliation

Subtle Snail