What is SILKLOADER and how does it operate?

SILKLOADER is a malicious loader designed to mimic the legitimate libvlc.dll file used by VLC media player. Instead of modifying the open-source libvlc code, threat actors created DLLs from scratch, replicating export function names to ensure compatibility. Only the 'libvlc_new' export function contains malicious code, which acts as a shellcode loader. When the renamed VLC executable is launched, this function is called, executing the malicious payload immediately.

How does SILKLOADER evade sandbox analysis?

SILKLOADER includes three anti-sandbox checks: it terminates execution if the username is 'vbccsb' (used by ThreatBook Cloud Sandbox), if the process command line contains 'TRANSFER' (likely targeting VirusTotal sandboxes), or if the process name matches certain hard-coded values (e.g., msdtc.exe, wpspdf.exe, charmap.exe), which are used by some sandboxes instead of the original filename.

What payload does SILKLOADER deliver?

All analyzed SILKLOADER samples delivered a Cobalt Strike reflective loader as the final payload. This means SILKLOADER is specifically designed to be used as a Cobalt Strike beacon loader, enabling post-exploitation activities.

Why do threat actors use DLL side-loading techniques like SILKLOADER?

DLL side-loading techniques like SILKLOADER allow threat actors to execute malicious code by exploiting legitimate applications (such as VLC) that load DLLs by name. By mimicking legitimate DLLs, attackers can evade detection and leverage trusted processes to run their payloads.

What anti-analysis techniques are used by SILKLOADER?

SILKLOADER uses encrypted API function and module names (XOR-based), anti-sandbox checks (username, command line, process name), and dynamic shellcode decoding to hinder analysis and evade automated detection tools.

How does SILKLOADER mimic legitimate DLLs?

SILKLOADER mimics legitimate DLLs by implementing all expected export functions found in the real libvlc.dll, but only the 'libvlc_new' export contains malicious code. The rest are implemented as trivial stubs, ensuring compatibility with the VLC executable.

What is the significance of the 'libvlc_new' export function in SILKLOADER?

The 'libvlc_new' export function is the only export in the malicious DLL that contains code. It is called by the VLC executable to create a libvlc instance, and in SILKLOADER, it triggers the execution of the malicious shellcode loader.

Which filenames are used by SILKLOADER for anti-sandbox checks?

SILKLOADER checks if the process name matches hard-coded values such as msdtc.exe, wpspdf.exe, or charmap.exe. These filenames are used by some sandboxes instead of the original filename, and matching them causes SILKLOADER to terminate execution.

How does SILKLOADER handle encrypted function and module names?

SILKLOADER encrypts API function and module names using a simple XOR-based algorithm. The loader dynamically resolves and decrypts these names at runtime to hinder static analysis and detection.

What are the key features of the Cymulate platform?

Cymulate offers continuous threat validation, unified Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), exposure analytics, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, ease of use, and an extensive threat library with over 100,000 attack actions updated daily. Learn more .

How does Cymulate's Threat Validation solution differ from manual pen tests and traditional BAS?

Cymulate's Exposure Validation provides automated, continuous security testing with a library of over 100,000 attack actions, easy out-of-the-box control integrations, and automated mitigation capabilities. This approach overcomes the limitations of infrequent manual tests and cumbersome traditional BAS tools. Learn more .

What is the benefit of Cymulate's immediate threats module?

According to a Penetration Tester, Cymulate's immediate threats module is updated quickly, allowing organizations to assess their risk from new attacks and implement remedial action rapidly. Source .

How does Cymulate's Threat (IoC) updates feature improve threat resilience?

The Threat (IoC) updates feature provides recommended Indicators of Compromise that can be exported and applied directly to security controls, improving threat resilience by enabling rapid defense against new threats. Learn more .

What integrations does Cymulate support?

Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a full list, visit the Partnerships and Integrations page .

How does Cymulate Exposure Validation support a threat-informed defense strategy?

Cymulate Exposure Validation continuously validates security controls against the latest threats and attack techniques, ensuring defenses are always prepared for current and emerging adversarial methods. Learn more .

What is the Hopper capability in Cymulate and how does it benefit organizations?

The Hopper capability provides lateral movement assessments, helping organizations understand security gaps and actions needed to prevent attackers from moving laterally within their environment. For example, Globeleq uses Hopper to reduce the potential 'blast radius' of attacks. Read the case study .

What specific Cymulate offerings are included in the Threat Validation solution?

The Threat Validation solution includes Cymulate Exposure Validation, Cymulate Auto Mitigation (optional), and Cymulate Custom Attacks (optional). Learn more .

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. Learn more .

What problems does Cymulate solve for security teams?

Cymulate addresses overwhelming threat volumes, lack of visibility, unclear risk prioritization, resource constraints, fragmented tools, and operational inefficiencies by automating threat validation, exposure prioritization, and remediation. Learn more .

How does Cymulate help organizations with fragmented security tools?

Cymulate integrates exposure data and automates validation, providing a unified view of the security posture and closing gaps caused by disconnected tools. Learn more .

What measurable outcomes have Cymulate customers achieved?

Customers have reported a 52% reduction in critical exposures, a 60% increase in team efficiency, and an 81% reduction in cyber risk within four months. For example, Hertz Israel reduced cyber risk by 81% in four months using Cymulate. Read the case study .

How does Cymulate address resource constraints in security teams?

Cymulate automates threat validation and remediation processes, allowing security teams to focus on strategic initiatives and improving operational efficiency. Learn more .

What are some real-world use cases for Cymulate?

Use cases include reducing cyber risk (Hertz Israel), scaling penetration testing (sustainable energy company), improving cloud security (Nemours Children's Health), and proving compliance (Saffron Building Society). See all case studies .

How does Cymulate support different security personas?

Cymulate tailors solutions for CISOs (metrics and investment justification), SecOps (automation and efficiency), red teams (automated offensive testing), and vulnerability management teams (validation and prioritization). Learn more .

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a quote, schedule a demo .

How long does it take to implement Cymulate?

Cymulate is designed for quick, agentless deployment with no need for additional hardware or complex configurations. Customers can start running simulations almost immediately after deployment. Learn more .

What support options are available for Cymulate customers?

Cymulate offers email support, real-time chat support, a knowledge base, webinars, e-books, and an AI chatbot for technical queries and best practices. Contact support .

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating adherence to industry-leading security and privacy standards. Learn more .

How does Cymulate ensure data security and privacy?

Cymulate uses encryption for data in transit (TLS 1.2+) and at rest (AES-256), secure AWS-hosted data centers, a tested disaster recovery plan, and a dedicated privacy and security team, including a DPO and CISO. Learn more .

Is Cymulate GDPR compliant?

Yes, Cymulate incorporates data protection by design and has a dedicated privacy and security team, including a Data Protection Officer (DPO), ensuring GDPR compliance. Learn more .

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive interface, ease of use, and actionable insights. For example, Raphael Ferreira, Cybersecurity Manager, said, 'Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights into how you can improve your security posture.' Read more testimonials .

Has Cymulate received any industry recognition?

Yes, Cymulate was named a Customers' Choice in the 2025 Gartner Peer Insights and recognized as a market leader for automated security validation by Frost & Sullivan. Read more .

What is Cymulate's mission and vision?

Cymulate's mission is to transform cybersecurity practices by enabling organizations to proactively validate defenses, identify vulnerabilities, and optimize their security posture. The vision is to create a collaborative environment for lasting improvements in cybersecurity. Learn more .

How does Cymulate contribute to Continuous Threat Exposure Management (CTEM)?

Cymulate provides a proactive framework for CTEM, helping security leaders manage increasing threats, tool proliferation, and lack of clear answers by continuously validating and prioritizing exposures. Learn more .

SILKLOADER

April 2, 2023

Even though libvlc is an open-source project, the threat actor did not modify and compile the open-source code to create the malicious libvlc.dll files. Instead, the malicious DLLs were created from scratch. These DLLs are designed to mimic the legitimate libvlc.dll file by including export function names found in the legitimate version and thus imported by the VLC executable. Only one of the export functions contains malicious code. All other export functions are trivially implemented with "retn 0" instructions . The "libvlc_new" export function, which implements the malicious code, is called by the VLC executable to create a libvlc instance6. As such, the malicious code is executed immediately when the renamed VLC executable is launched. The malicious code acts as a shellcode loader. The shellcode loader dynamically resolves the API functions it needs. These functions and module names are encrypted using a simple XOR based algorithm. The loader first decodes the base64 encoded shellcode using the CryptStringToBinaryA function. It then performs a set of anti-analysis checks, which are explained in the following subsection. Lastly, it proxies the execution flow to the beginning of the shellcode by calling CertEnumSystemStoreLocation and setting the allocated shellcode's address as the callback function parameter. Anti-sandbox checks The loader contains three anti-sandbox checks that will cause execution to terminate: 1. It checks if the username (retrieved via GetUserNameW) is "vbccsb". This is the default username used by ThreatBook Cloud Sandbox, a platform primarily used within the Chinese cybersecurity sphere. 2. It checks if the process command line contains the word "TRANSFER". This is likely an anti-sandbox check for VirusTotal sandboxes. 3. It checks if the process name (VLC executable) matches a hard-coded value. This is likely an anti-sandbox check as well, as certain sandboxes do not use the original filename for execution. Based on analyzed samples, original filenames appear to be either one of following: • msdtc.exe • wpspdf.exe • charmap.exe The loaded shellcode contains a stub which calls a decoder located at the end of the loaded shellcode to decode another stub. This newly decoded stub then decodes an appended payload which has been XORed. In the case of all SILKLOADER samples that were analyzed, the appended payload was a Cobalt Strike reflective loader. This indicates that SILKLOADER was created for the sole purpose of being used as a Cobalt Strike beacon loader.

Featured Resources

View More Resources

blog

Exposure Validation: Continuous Testing Should Drive Continuous Improvement

What’s your end goal? How exactly does this security project make you more secure? Like any technology initiative, those two

Report

2026 Gartner® Market Guide for Adversarial Exposure Validation

The guide covers AEV use cases, key features, and market trends to improve threat exposure visibility and defenses.

Learn More