There is a new attack vector that cybersecurity experts have identified, in which threat actors are exploiting a vulnerability found in Google Chrome version 133.0.6943.126 using DLL side-loading methods.
This attack, which is quite advanced, enables the execution of malicious code through Chrome’s trusted subprocesses, posing a significant security threat to users worldwide.
DLL side-loading is a tactic employed by attackers to take advantage of how Windows applications load Dynamic Link Libraries (DLLs). By exploiting the Windows search order, malicious DLLs can be loaded instead of legitimate ones.
In this instance, according to the report by Threatmon, attackers are targeting Chrome’s processes by substituting the legitimate chrome_elf.dll file with a malicious version.
“DLL search order hijacking is among the most frequently used methods of DLL sideloading, wherein an attacker places a malicious DLL with the same name as a legitimate DLL in a location that is searched before reaching the legitimate DLL’s path,” as explained by Securonix Threat Research.
When Chrome is running, it inadvertently loads the attacker’s DLL, thereby executing malicious code with the browser’s trusted privileges.
Exploiting the DLL Side-Loading Flaw in Google Chrome
This exploit capitalizes on a vulnerability present in the latest version of Chrome (133.0.6943.126) released in February 2025.
Although Google has issued security updates to address other high-severity vulnerabilities in Chrome 133, this specific DLL side-loading vulnerability seems to still be exploitable.
The attack employs a sophisticated technique called DLL proxying, where the malicious DLL acts as a proxy intercepting function calls from the executable and redirecting them to a legitimate DLL, ensuring the application functions normally while allowing the malicious code to run undetected.
Security analysts have observed that the attack’s execution is remarkably intricate:
- A persistent backdoor is created by the malicious DLL, which remains operational even after Chrome is shut down
- Security tools have extremely low detection rates for the malicious DLL, spotting it in only 2 out of 70 scans
- The malware employs evasion tactics to escape detection during analysis
An interesting aspect of this attack is the utilization of the Nim programming language in crafting the malicious code.
Nim is an unconventional choice for developing malware but offers attackers various advantages, such as bypassing signature-based detections and impeding analysis by unfamiliar security researchers.
This attack indicates a worrying shift in threat strategies. Even though DLL side-loading has been known since at least 2010, its application against widely-used software like Chrome underscores how attackers are continuing to refine established methods.
The vulnerability impacts Chrome version 133.0.6943.126 across Windows, macOS, and Linux. It’s highly recommended that users promptly update their browsers and implement additional security measures.
Countermeasures
Security professionals suggest several protective steps:
- Immediate update of Chrome to the newest version
- Deployment of endpoint detection solutions capable of recognizing DLL side-loading
- Employment of application whitelisting to block unauthorized DLL loading
- Close monitoring of system processes for any unusual activity after Chrome is closed
Given the increasing sophistication of these attacks, organizations must maintain a vigilant and proactive security stance to defend against this evolving threat landscape.
The article Threat Actors Exploiting DLL Side-Loading Vulnerability in Google Chrome to Execute Malicious Payloads first appeared on Cyber Security News.