Since mid-2024, SCILabs has consistently identified artifacts used in malware campaigns targeting LATAM that are executed during the infection process through the BPL Side-Loading<\/a> technique in conjunction with IDATLoader<\/a><\/em> malware. Most of these artifacts are distributed via phishing emails.<\/p>\n\n\n\n The information provided here focuses on disclosing some of the malware campaigns primarily affecting Colombia, and potentially other LATAM countries, leveraging email pretexts such as alleged legal demands and citations, as well as a campaign impersonating a Crowdstrike update after the July 19, 2024 incident<\/a>, when the provider released a configuration content update for its Windows sensor (part of the Falcon Sensor platform) that resulted in critical operating system failures (Blue Screen of Death [BSOD<\/a>]) in some Windows hosts.<\/p>\n\n\n\n It is important to notice that this information aims to explain how BPL Side-Loading is exploited in conjunction with IDATLoader<\/em> malware, with the objective of understanding recent malware campaigns under the premise that these techniques will likely continue to be employed constantly by threat actors in the future.<\/p>\n\n\n\n BPL Side-Loading has been previously recorded publicly; however, it hasn\u2019t received enough coverage nor sufficient in-depth analysis. This technique would allow an attacker to deploy any kind of malware, evading security controls such as EDR and AV. Consequently, organizations lacking prior knowledge of this technique and its functionality are unable to implement effective security countermeasures, which may lead to integrity, confidentiality and availability risks, leading to financial losses and reputational damage.<\/p>\n\n\n\n First campaign<\/strong><\/p>\n\n\n\n This campaign was found through open feed posts<\/a> where the distribution method was determined to be phishing emails using a pretext of a supposed legal citation impersonating the \u201cFiscal\u00eda General de la Naci\u00f3n<\/em>\u201d of Colombia.<\/p>\n\n\n This email has a ZIP file attached by the name of \u201c08 CITACION DEMANDA.zip<\/em>\u201d, which works as the first dropper.<\/p>\n\n\n We\u2019ll provide a brief description of the artifacts identified inside the ZIP file, as their full analysis is not the main objective of this post. The focus is to understand their role in exploiting the BPL Side-Loading technique. Moreover, we will examine the functionality of the highlighted artifacts further down the post.<\/p>\n\n\n\n Second campaign<\/strong><\/p>\n\n\n\n SCILabs identified this campaign, which, similar to the first one, targets users in Colombia. It was distributed through phishing emails using the pretext of a legal citation impersonating the \u201cJuzgado Tercero Laboral del Circuito<\/em>\u201d of Colombia.<\/p>\n\n\n This email had an attached SVG file displaying a message that encouraged the victim to download a file related to a supposed citation through a PDF file icon. Within the same email, the attacker provides a password for opening the PDF file as a mechanism to evade automated analysis by AV solutions and sandboxes<\/a>.<\/p>\n\n\n\n Once the victim clicks on the link, a compressed file is automatically downloaded from Dropbox. Similar to the previous campaign, a ZIP file by the name \u201c01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01.zip<\/em>\u201d is downloaded.<\/p>\n\n\n Within the ZIP file we found the following artifacts:<\/p>\n\n\n Third campaign<\/strong><\/p>\n\n\n\n In the third campaign, SCILabs identified the use of a Dropbox storage link hosting a ZIP file by the name \u201ccrowdstrike-hotfix.zip<\/em>\u201d, being this file sample the same as the one reported in Crowdstrike\u2019s Blog<\/a> . According to their post, the distribution method remains unknown and is likely part of a malware campaign targeting LATAM, leveraging a CrowdStrike update pretext as a result from the Crowdstrike failure<\/a> on July 19th<\/sup>, 2024. This sample contains a file by the name \u201cinstrucciones.txt<\/em>\u201d, where the attacker provides alleged steps for executing a file patch. In reality, these instructions lead the victim to execute a malicious file that initiates the infection.<\/p>\n\n\n The zip file contains the following artifacts:<\/p>\n\n\n\n Analysis of BPL Side-Loading technique in conjunction with IDATLoader<\/em><\/strong><\/p>\n\n\n\n BPL Side-Loading is a technique mentioned among the Hijack Execution Flow: DLL techniques<\/a> registered in the MITRE ATT&K framework; however, it does not have an official categorization at the time of writing this post.<\/p>\n\n\n\n A BPL<\/a> (Borland Package Library) file is a package file used by Borland software development tools, such as Delphi and C++ Builder. These files are similar to dynamic link libraries (DLLs) but are specifically designed for applications developed in the aforementioned environments. Like DLLs, BPL files can be loaded dynamically at runtime, allowing applications to extend their functionality without requiring recompilation.<\/p>\n\n\n\n Considering the above, the BPL Side-Loading technique is based on the dependency of applications on external BPL libraries, which can be exchanged or manipulated to load other artifacts into memory, much like DLL Side-Loading<\/a>.<\/p>\n\n\n\n The initial artifact is a legitimate executable that must be launched by the user to continue the attack flow. It is developed in Delphi and requires BPL libraries to function, as is the case with the Data Recovery Backup<\/a>, DualSafe Password Manager<\/a>, and Driver Booster<\/a> applications, which are vulnerable to this technique.<\/p>\n\n\n\n When executed, the libraries required for the application to function are imported by name; therefore, a legitimate BPL library can be easily replaced by one that has been modified by the attacker. In the analyzed campaigns, the malicious file \u201cvcl120.bpl<\/em>\u201d was found in the same directory as the executable, being a malicious BPL tailored by the attacker.<\/p>\n\n\n The executable then imports functions from the malicious BPL library; in this case, the file \u201cvcl120.bpl<\/em><\/a>\u201d. This library has been previously modified by the threat actor to import artifacts that do not correspond to its regular operation. This is where malware called HijackLoader<\/a><\/em> or IDATLoader<\/em> is executed, which begins to read the contents of a file containing the main shellcode and corresponding to the main IDATLoader<\/em> module. In these campaigns, the names of these files are \u201cbarrette.accdb<\/em>\u201d, \u201cdreamland.m4a<\/em>\u201d, and \u201cbattuta.flv<\/em>\u201d. In the example shown in the following image, the name is \u201cdreamland.m4a<\/em>\u201d.<\/p>\n\n\n It is important to mention that in the three campaigns analyzed, the BPL Side-Loading technique has been used in conjunction with the IDATLoader<\/em> malware.<\/p>\n\n\n\n IDATLoader<\/em> is modular in nature, so its loading into memory begins with the main shellcode but consists of different stages. During the analysis, the following were identified:<\/p>\n\n\n\n Persistence through scheduled tasks was also observed:<\/p>\n\n\n At the end of this process, the payload executes actions corresponding to its operation similar to other campaigns. These actions include creating new persistence as in the case of AsyncRAT<\/em> and establishing communications with the command-and-control (C2). Additionally, IDATLoader<\/em> retains the persistence generated during execution.<\/p>\n\n\n\n The following attach chain was recorded by SCILabs after analyzing the previous campaigns disclosed in this post.<\/p>\n\n\n The following TTP matrix, based on the MITRE Framework, was crafted from the analysis of the use of the BPL Side-Loading technique in conjunction with the IDATLoade<\/em>r malware.<\/p>\n\n\n\n The BPL Side-Loading technique is an example of how threat actors are constantly evolving and developing new techniques to evade security tools with the aim of distributing malware, taking advantage of organizations and users that are insufficiently informed or prepared to address emerging threats.<\/p>\n\n\n\n As mentioned in this post, this technique has been used since its discovery by various threat actors in LATAM. SCILabs believes that the number of threat actors using BPL Side-Loading and IDATLoader<\/em> in their malware campaigns targeting the region will increase in the coming months due to a general lack of awareness of how it works among organizations and some manufacturers.<\/p>\n\n\n\n SCILabs provides the following recommendations to avoid falling victim to this technique or, if prevention is not possible, to mitigate its impact.<\/p>\n\n\n\nHow can this affect your organization?<\/h2>\n\n\n\n
Technical analysis<\/h2>\n\n\n\n
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image.png\")
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-1.png\")
\n
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-2.png\")
\n\n\n![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-3.png\")
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-4.png\")
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-5.png\")
\n
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-6.png\")
\n
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-7.png\")
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-8.png\")
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-9.png\")
\n
\n
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-10.png\")
<\/figure><\/div>\n\n![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-11.png\")
\n
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-12.png\")
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-13.png\")
\n
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-14.png\")
\n
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-15.png\")
<\/figure><\/div>\n\n![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-16.png\")
\n
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/11\/image-17.png\")
Attack chain summary<\/h2>\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
\n
Attack chain process<\/h2>\n\n\n\n
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/12\/BLPSideLoadingImage-929x1024.png\")
TTPs aligned with MITRE ATT&CK\u00ae framework<\/h2>\n\n\n\n
![\"\"](\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2025\/12\/BLPSideLoadingTTPsMatrix-1024x954.png\")
Conclusion<\/h2>\n\n\n\n
\n
\n