Cybercriminals Laughing All The Way To The LOLBin

Share This Post

The living-off-the-land binary (LOLBin) method is being leveraged by attackers around the globe to spread trojans and other malware.

LOLBins are native utilities that attackers can use to evade detection by blending in to normal activity patterns. In this case, Regsvr32 is a legitimate, Microsoft-signed command line utility that allows Windows users to register and unregister libraries. By registering a .DLL file, information is added to the machine’s Registry so that it can be used by Windows and other programs. Regsvr32 is being used to load COM scriptlets that can bypass application white-listing controls and execute .DLL’s. These malicious activities are usually executed using malicious macros embedded in Microsoft Office documents with Rich Text Formatting. (.docx, .docm, .xlsm, .xlsb, etc.)

Suspicious executions of Regsvr32 can be identified by looking for instances of the service with Microsoft Word or Microsoft Excel as a parent process. Other indicators are .OCX files that have been placed in the Registry, or executions of the Regsvr32 service that load a .DLL named “scrobj.dll.”

Threatpost Report: https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/178333/



Reach out to our incident response team for help

More To Explore

Information Security News – 6/2/2025

Why Layoffs Increase Cybersecurity Risks Article Link: https://www.helpnetsecurity.com/2025/05/26/layoffs-cybersecurity-risks/ The CISO’s Dilemma: Balancing Access, Security, and Operational Continuity Article Link: https://www.forbes.com/councils/forbestechcouncil/2025/05/27/the-cisos-dilemma-balancing-access-security-and-operational-continuity/ Massive Data Breach Exposes 184

Information Security News – 5/19/2025

Attackers Lace Fake Generative AI Tools With ‘Noodlophile’ Malware Article Link: https://www.darkreading.com/endpoint-security/attackers-fake-generative-ai-tools-malware CISA Reverses Decision on Cybersecurity Advisory Changes Article Link: https://www.infosecurity-magazine.com/news/cisa-reverses-decision-advisory/ FBI Warns That

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.