: A legitimate, digitally signed executable used for "DLL side-loading." By using a trusted binary, the attacker lowers the suspicion level of the initial process start.
: An obfuscated configuration file containing Command & Control (C2) server addresses and sleep timers (hence the name "Snooze"). Execution Chain: How it Works SnoozeGnat.7z
Implement that flags DLL side-loading from non-standard paths. : A legitimate, digitally signed executable used for
Upon extracting the archive, we find a multi-stage execution chain designed to evade detection by standard Windows Defender signatures. The archive contains: : A legitimate
: The legitimate launcher looks for its required library. Because gnat_api.dll is in the same folder, it loads the malicious version instead of the system version.