Skip to main content

Exploiting trust in the vendor – cybersecurity provided binary turned malicious

Report summary

This article documents a real world intrusion in which threat actors abused a legitimate, digitally signed Trend Micro component to deploy a sophisticated, multistage Remote Access Trojan (RAT) inside an enterprise network. The investigation began after abnormal internal authentication activity that revealed a compromised web facing server running an outdated component. Following initial access, the attackers conducted extensive internal discovery across the environment, harvested credentials, mapped Active Directory and selectively compromised high value systems.

 

 

Rather than deploying a clearly malicious loader, the attackers repurposed Trend Micro’s ActiveUpdate binary (Build.exe), renamed to LockAp.exe and leveraging DLL side loading to run a malicious dbghelp.dll. This DLL functioned as a stealthy in memory loader, decrypting an RC4 encrypted payload stored in a separate .apx file and executing it without writing the final malware to disk. The resulting backdoor established persistence via services, scheduled tasks and registry RUN keys, injected code into trusted Windows processes and communicated with command and control infrastructure using encrypted multi protocol channels, including named pipes.

The campaign demonstrates how attackers can weaponize trust in security vendors by abusing signed binaries to evade detection and bypass application trust controls. While the techniques observed during this breach- DLL side loading, in memory execution and living off the land reconnaissance – are well known, their combination with a trusted cybersecurity vendor binary significantly increased stealth and dwell time. The case highlights, yet again, the importance of behavior based detection and post exploitation monitoring, as static indicators and signature based defenses alone are insufficient against modern intrusions.

 

Read the full research here.

Posted on: July 2, 2026

Piotr Bienias
Follow or contact Piotr :

Share this article

Dive deeper

  • Service Focus

Cybersecurity

  • Magazine

Digital security magazine 18th Edition

  • Magazine

Digital security magazine 19th Edition