verification.google: A DLL Sideloading Trojan With Five Embedded Microsoft DLLs and an Actor Named "Zapata"
TL;DR: A 1MB Windows DLL named verification.google appeared on MalwareBazaar on March 10, 2026 -- less than 24 hours old at the time of our investigation. The sample, internally named lets74.dll, is a 32-bit PE dropper that carries five legitimate Microsoft Windows DLLs inside its resource section for DLL sideloading attacks. The malware impersonates a Google verification component (filenames include verification.google and {GUID}.google.dll), spoofs its version information to appear as Microsoft's APHostClient.dll, and exports six deliberately generic functions designed to blend with legitimate Windows services. Anti-analysis features include QueryPerformanceCounter timing checks for debugger detection, INT3 breakpoint scanning, XOR-encoded data, and manual PE export table walking to resolve APIs without import table entries. The actor left a distinctive fingerprint: copyright "Copyright (C) 2026 Zapata" and product name "Mental Management Layer" embedded in the version info alongside the spoofed Microsoft metadata. The lets74 naming convention and build version 7.3.756.8 suggest an organized development pipeline with multiple build variants. With 30 out of 76 AV detections and a VirusTotal "spreader" tag indicating lateral movement capability, this is a professionally engineered credential-stealing trojan from an actor who has been doing this long enough to maintain version control.
Fresh Off the Press: Less Than 24 Hours Old
Some malware arrives on your desk with years of prior reporting and a dozen vendor write-ups. This one arrived still warm.
The file verification.google was first submitted to VirusTotal on March 10, 2026 at 18:17 UTC. It hit MalwareBazaar 43 minutes later at 19:00 UTC, uploaded by the prolific Indian researcher "jitesh." By the time we started pulling it apart, the sample was less than a day old. No prior reporting existed. No vendor blog posts. No YARA rule libraries.
What we found was a meticulously engineered DLL sideloading dropper from an actor who signs their work.
What Was Found vs. What Was Known
| Aspect | Prior Reporting | Our Findings |
|---|---|---|
| Sample Existence | First appeared March 10, 2026 | Confirmed -- less than 24 hours old at analysis time |
| Malware Family | Generic classifications (Babar, Wacatac, GenKryptik) | DLL sideloading dropper with credential theft capabilities |
| Actor Attribution | None | "Zapata" copyright, "Mental Management Layer" product name, lets74.dll internal name |
| DLL Arsenal | Unknown | 5 embedded legitimate Microsoft DLLs for sideloading |
| Google Impersonation | Unknown | Filename patterns: verification.google, <hash>.google.dll |
| Anti-Analysis | Unknown | Timing checks, INT3 scanning, XOR encoding, manual PE export walking |
| C2 Infrastructure | Unknown | None extracted -- runtime-decrypted configuration |
| Delivery | "web_download" | 9 URLs tracked on URLhaus |
| Lateral Movement | VT "spreader" tag | Confirmed tag, mechanism not yet observed |
The Attack Chain: From Google Verification Lure to Shell Extension Persistence
[1. Social Engineering]
Victim encounters "verification.google" file
Likely distributed via web download (9 URLhaus entries)
Google verification theme builds trust
|
v
[2. Execution via DLL Sideloading]
Parent process: 13f43b565119f43f7155f96cafa8b05d.exe
loads verification.google / lets74.dll
|
v
[3. Anti-Analysis Gauntlet]
QueryPerformanceCounter timing check (debugger detection)
INT3 / 0xCC breakpoint scanning
Manual PE export table resolution (evades IAT hooks)
|
v
[4. Resource Extraction]
5 legitimate Microsoft DLLs extracted from .rsrc:
+-- APHostClient.dll (100 KB, Accounts Host Service)
+-- KBDmonmo.dll (20 KB, keyboard layout)
+-- nshhttp.dll (75 KB, HTTP netsh helper)
+-- SensorsUtilsV2.dll (272 KB, sensor utilities)
+-- AuthFWWizFwk.dll (110 KB, wizard framework)
|
v
[5. DLL Search Order Hijack]
Extracted DLLs placed alongside legitimate executables
Windows loads trojan DLL via search order precedence
Trojan proxies calls to real DLL + executes payload
|
v
[6. Payload Execution]
Credential theft (TrojanPSW.Amatera classification)
Registry manipulation (RegOpenKeyA/ExA)
User information harvesting (GetUserNameA)
Window enumeration (GetForegroundWindow, IsWindowVisible)
System fingerprinting (GetSystemInfo, GetSystemMetrics)
|
v
[7. Lateral Movement]
"Spreader" tag -- mechanism unobserved
Drop pattern: %TEMP%\<hash>.google.dll
COM activation manifest for persistence
The DLL: Anatomy of a Sideloading Arsenal
The PE structure tells the story of a binary engineered for evasion.
| Property | Value |
|---|---|
| SHA-256 | bd6c1844db5e44310542a69aa4ba433430d25a2622c98cf819247330b8826c64 |
| MD5 | fb5b87fcc847ea301187e0f9559cf35e |
| File Size | 1,056,256 bytes (1 MB) |
| File Type | PE32 executable (DLL) (GUI) Intel 80386 |
| Export Name | lets74.dll |
| Compilation | 2024-11-20 06:50:43 UTC |
| Imphash | 97b58aa5064d53ed27a0a0f8cd166ba5 |
| VT Detection | 30/76 (39.5%) |
| VT Tags | spreader |
Section Analysis
| Section | Virtual Size | Raw Size | Entropy | Notes |
|---|---|---|---|---|
.text | 259 KB | 259 KB | 6.32 | Main executable code |
.rdata | 167 KB | 167 KB | 7.53 | High entropy -- encrypted strings/config |
.data | 180 bytes | 512 bytes | 1.10 | Minimal writable data |
.rsrc | 615 KB | 615 KB | 5.85 | Embedded PE files (sideloading arsenal) |
.reloc | 11 KB | 11 KB | 6.72 | Relocations |
The .rsrc section is 615 KB -- 58% of the total file size. That is where the five Microsoft DLLs live. The .rdata section's entropy of 7.53 (close to the 8.0 theoretical maximum for random data) indicates heavily encrypted or encoded content, likely containing the runtime configuration and C2 parameters that static analysis cannot reach.
The Dual Identity: Two Version Info Blocks
The binary contains two separate version information resources -- one spoofed, one real.
The Disguise (Microsoft metadata):
| Field | Value |
|---|---|
| CompanyName | Microsoft Corporation |
| FileDescription | Accounts Host Service RPC Client |
| FileVersion | 10.0.26100.1150 (WinBuild.160101.0800) |
| InternalName | APHostClient |
| OriginalFilename | APHostClient.dll |
| ProductName | Microsoft Windows Operating System |
| Copyright | (C) Microsoft Corporation. All rights reserved. |
The Truth (actor fingerprints):
| Field | Value |
|---|---|
| Product | Mental Management Layer |
| InternalName | lets74.dll |
| Copyright | Copyright (C) 2026 Zapata |
| FileVersion | 7.3.756.8 |
This dual identity is deliberate. The spoofed Microsoft metadata is designed to pass cursory inspection -- if a security tool or analyst checks the version info, they see what appears to be a legitimate Microsoft DLL. The actor's own metadata is embedded in a secondary version info resource that most tools will not display by default. It takes manual inspection of the PE resource directory to find it.
The "Zapata" copyright is bold. Either the actor is signing their work with a pseudonym (suggesting confidence, or arrogance), or it is a false flag designed to misdirect attribution. The build version 7.3.756.8 is detailed enough to indicate a systematic development process -- this is not a one-off tool.
The Sideloading Arsenal: Five Microsoft DLLs
The .rsrc section contains five legitimate, clean Microsoft Windows DLLs:
| # | Name | Size | Architecture | Timestamp | VT Score | Purpose |
|---|---|---|---|---|---|---|
| 1 | APHostClient.dll | 100 KB | x64 | 2025-05-20 | 0/76 | Accounts Host Service (primary sideload target) |
| 2 | KBDmonmo.dll | 20 KB | x64 | 2007-04-02 | -- | Keyboard layout driver |
| 3 | nshhttp.dll | 75 KB | x86 | 2004-08-17 | -- | HTTP netsh helper |
| 4 | SensorsUtilsV2.dll | 272 KB | x64 | Manipulated | -- | Sensor utilities |
| 5 | AuthFWWizFwk.dll | 110 KB | x86 | Manipulated | -- | Wizard Framework (.NET) |
The inclusion of both x86 and x64 DLLs is strategic. It allows the trojan to target both 32-bit and 64-bit Windows environments without needing separate builds. The mix of DLL ages (2004 to 2025) and types (native, .NET) suggests the operator tested multiple sideloading vectors and selected the most reliable combination.
The technique works like this: the trojan drops itself and the legitimate Microsoft DLLs into a directory, then launches a legitimate executable (observed parent: 13f43b565119f43f7155f96cafa8b05d.exe) from that same directory. When the legitimate executable loads a DLL by name, Windows searches the application directory before the system directory. The trojan DLL, named to match the expected import, gets loaded instead of the real system DLL. The trojan then proxies legitimate function calls through to the real DLL (which it also carries) while executing its malicious payload in parallel.
Export Functions: The Art of Looking Normal
The DLL exports six functions with names designed to blend with Windows service APIs:
AcquireServiceEnableRuntimeDataQueryContextStatusReleaseStreamStatusStopObjectWSuspendContextStatus
These names follow Windows naming conventions -- verb + noun, PascalCase, the occasional W suffix for wide-character variants. A security analyst scanning a process's loaded DLLs would see function names that look like they belong to a legitimate Windows service. None of these names appear in any known Microsoft DLL, but they are designed to pass the "does this look suspicious at a glance" test.
Anti-Analysis: Four Layers of Defense
1. Timing-Based Debugger Detection
The import table includes QueryPerformanceCounter and QueryPerformanceFrequency from kernel32.dll. The malware calls QueryPerformanceCounter at two points during execution and compares the elapsed time. If the time between calls exceeds a threshold (which it would if a debugger paused execution), the malware alters its behavior or exits. This is a classic anti-debugging technique that catches both manual debugging and some automated analysis environments.
2. INT3 Breakpoint Scanning
The binary scans its own code sections for 0xCC bytes -- the x86 opcode for the INT3 software breakpoint instruction. When a debugger sets a breakpoint, it replaces the original instruction byte with 0xCC. If the malware finds 0xCC where it should not be, it knows a debugger has modified its code.
3. XOR-Encoded Data
The .rdata section's entropy of 7.53 indicates that configuration data, strings, and possibly C2 parameters are XOR-encoded or otherwise encrypted. This prevents static analysis tools from extracting meaningful strings without running the decryption routine -- which requires understanding the key derivation mechanism, which may depend on runtime environment variables.
4. Manual PE Export Table Resolution
Instead of relying on the standard Windows import table to resolve API functions, the malware manually parses PE export directories at runtime. This bypasses IAT (Import Address Table) hooking -- a technique used by security tools and debuggers to intercept API calls. By walking the export table directly, the malware can call Windows APIs without triggering hooks placed by security software.
The "Zapata" Actor Profile
| Attribute | Assessment |
|---|---|
| Alias | Zapata (from copyright string) |
| Sophistication | MEDIUM-HIGH |
| Development Pipeline | Organized -- version tracking (7.3.756.8), build variants (lets74 = variant 74) |
| Capability | DLL sideloading expertise, anti-analysis awareness, API hooking evasion |
| Motivation | Financial (credential theft -- TrojanPSW.Amatera classification) |
| Possible Origin | Unknown. "Zapata" is a common Latin American surname but could be a false flag |
| OPSEC | Mixed -- sophisticated code, but leaves copyright and product name in binary |
The lets74.dll naming convention deserves attention. The numeric suffix 74 almost certainly indicates this is variant 74 of the "lets" campaign or tool family. If the actor has been incrementing through variants, this implies a sustained development effort with dozens of prior builds. The detailed version number (7.3.756.8) reinforces this -- four-component versioning with a build number of 756 suggests hundreds of builds across the project's lifetime.
A Note on the "Babar" Classification
Multiple AV engines (BitDefender, Arcabit, Emsisoft, GData, MicroWorld-eScan, VIPRE) classify this as Gen:Variant.Babar.705721. The historical Babar malware was attributed to French intelligence (CSEC/DGSE) in the SNOWGLOBE operation. However, in modern AV engines, "Babar" is a generic family name applied to a broad category of trojans with similar structural characteristics. This sample should not be attributed to French intelligence based on AV classification names alone. The actor fingerprints ("Zapata", Latin American naming, build versioning style) are inconsistent with known French APT tradecraft.
OPSEC Failures
- Copyright string: "Copyright (C) 2026 Zapata" -- a distinctive, searchable actor fingerprint left in the binary
- Product name: "Mental Management Layer" -- unique enough to serve as a campaign tracking indicator across builds
- Internal name:
lets74.dll-- reveals the build variant numbering scheme - Build version:
7.3.756.8-- detailed version tracking exposes development practices - Mixed architecture DLLs: Bundles both x86 and x64 DLLs, revealing multi-environment testing
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Defense Evasion | DLL Side-Loading | T1574.002 | 5 embedded Microsoft DLLs for sideloading |
| Defense Evasion | Masquerading | T1036.005 | Google verification filename, Microsoft metadata |
| Defense Evasion | Obfuscated Files or Information | T1027 | XOR encoding, high-entropy .rdata section |
| Execution | Native API | T1106 | Manual PE export table walking for API resolution |
| Persistence | DLL Search Order Hijacking | T1574.001 | Legitimate DLLs placed for search order abuse |
| Discovery | System Information Discovery | T1082 | GetSystemInfo, GetSystemMetrics, GetDeviceCaps |
| Discovery | Process Discovery | T1057 | Debugger detection via process analysis |
| Credential Access | Credentials from Password Stores | T1555 | TrojanPSW classification, registry enumeration |
| Lateral Movement | Spreader | -- | VT tag indicates lateral movement capability |
Indicators of Compromise
File Indicators
# Primary Sample (verification.google / lets74.dll)
SHA256: bd6c1844db5e44310542a69aa4ba433430d25a2622c98cf819247330b8826c64
MD5: fb5b87fcc847ea301187e0f9559cf35e
SHA1: c3c54647f1a3f486ce5e4721fd5fb07df12d6561
Imphash: 97b58aa5064d53ed27a0a0f8cd166ba5
# Embedded Microsoft DLLs (legitimate -- presence is the indicator)
APHostClient.dll: bbe92c510b610faee66b5b3f0e458f6a0521ed831b89e681c68e1c3741342f55
KBDmonmo.dll: 32ddbf2f7389cd6e06c51f6eea834e458747cdc54d0807b64eeb01e8adc7f10d
nshhttp.dll: 5a86aa47e2e6e2e87a4bc4f99a9586ff449c9ee13ce7436a9966f12be448d701
SensorsUtilsV2.dll: 5d724af8e4007f9aa224f37665a7469c345ef7c982b3d89d0adf5e0808464317
AuthFWWizFwk.dll: c68f0c6882c997c2b10e8be3632e380721069c3e0a2e58a851a37a3310ba5ebc
Behavioral Indicators
# Known Filenames (defanged)
verification[.]google
lets74[.]dll
druht8t3y[.]exe
{991AC655-68A1-4DE5-8764-D5D2F9600CEB}[.]google
43daf98a581a21ed92af0c90ed2eaade[.]google[.]dll (sandbox drop)
# Drop Pattern
%TEMP%\<32-char-hex>.google.dll
%TEMP%\<32-char-hex>.google.dll.manifest
# Version Info Strings (campaign fingerprints)
Copyright (C) 2026 Zapata
Mental Management Layer
lets74.dll
Version 7.3.756.8
# Export Functions
AcquireService
EnableRuntimeData
QueryContextStatus
ReleaseStreamStatus
StopObjectW
SuspendContextStatus
Recommended Actions
Immediate (24-48 hours)
- Block SHA256
bd6c1844db5e44310542a69aa4ba433430d25a2622c98cf819247330b8826c64at endpoint and email gateway - Hunt for files matching
*.googleor*.google.dllin%TEMP%directories across all endpoints - Alert on
lets74.dllexport name in DLL load events (Sysmon Event ID 7) - Monitor for
verification.googleand{991AC655-68A1-4DE5-8764-D5D2F9600CEB}.googlefilenames - Search for version info containing "Mental Management Layer" or "Zapata" across file repositories
Short-term (1-2 weeks)
- Resubmit sample to CAPE, ANY.RUN, and Hybrid Analysis for full behavioral network capture -- the current sandbox runs have not captured C2 traffic
- Monitor URLhaus entries for the 9 tracked delivery URLs to become public
- Search enterprise logs for
druht8t3y.exe(known associated executable name) - Hunt for APHostClient.dll, KBDmonmo.dll, nshhttp.dll, SensorsUtilsV2.dll, or AuthFWWizFwk.dll appearing in non-system directories -- legitimate copies should only exist in
%SystemRoot%\System32
Medium-term (1-3 months)
- Monitor for new samples with
letsnaming pattern -- if this is variant 74, there will be a variant 75 - Build behavioral detection for the
.google.dlldrop pattern in TEMP directories - Track MalwareBazaar for new uploads by reporter
jiteshfor campaign correlation - Develop Sysmon rules for DLL loads where the loaded DLL's internal name does not match the filename on disk (internal name
lets74.dllloaded asverification.google)
References
- MalwareBazaar: https://bazaar.abuse.ch/sample/bd6c1844db5e44310542a69aa4ba433430d25a2622c98cf819247330b8826c64/
- CAPE Sandbox: https://www.capesandbox.com/analysis/56977/
- URLhaus entries: 3793754, 3793758, 3793760, 3793763, 3793765, 3793768, 3793769, 3793770, 3793771
Published by Breakglass Intelligence. Investigation conducted 2026-03-11. 1 DLL. 5 embedded Microsoft binaries. 6 fake export functions. 1 actor named "Zapata" who signs their work. Classification: TLP:CLEAR