New Malware Abuses Azure Functions to Host C2 Infrastructure

A sophisticated malware campaign has recently been uncovered that leverages Microsoft’s Azure Functions to host its command-and-control (C2) infrastructure, presenting a novel challenge for detection and remediation efforts.

According to the Dmpdump report, the campaign first emerged on VirusTotal on August 28, 2025, when a file uploaded from Malaysia triggered alarms.

The attackers employ a multi-stage infection chain that uses DLL side-loading and in-memory payload execution techniques to remain stealthy and persistent.

Infection Vector and DLL Side-Loading

The attack begins when a victim opens a disk image file named Servicenow-BNM-Verify.iso.

Inside the ISO are four files: a legitimate Palo Alto Networks executable (PanGpHip.exe), a shortcut file (servicenow-bnm-verify.lnk), and two dynamic-link libraries—libeay32.dll and the malicious libwaapi.dll.

When the user clicks the shortcut, it launches PanGpHip.exe, which is vulnerable to DLL side-loading. Instead of loading a genuine library, the executable loads libwaapi.dll from the same directory, enabling the malware to execute under a trusted process and bypass initial security checks.

Metadata analysis of the shortcut reveals it was created on August 25, 2025, on a machine named “desktop-rbg1pik” by user “john.GIB,” shedding light on the threat actor’s development environment.

Once libwaapi.dll is loaded, it hides its own console window and creates a mutex to ensure a single instance of the malware runs per host.

It then injects its main payload into the memory space of chakra.dll, a legitimate Windows component.

This injection involves multiple layers of decryption and obfuscation.

The malware computes an RC4 decryption key by hashing the string “rdfY*&689uuaijs,” which it uses to decrypt an obfuscated shellcode.

This shellcode decompresses the final DLL implant using the LZNT1 algorithm. The final payload, housed within the DllUnload exported function, employs module unhooking to evade user-mode security solutions.

By choosing an uncommon export like DllUnload, the malware further reduces the likelihood of detection by automated analysis tools.

Azure Functions as Covert C2

The most innovative aspect of this campaign is its use of Azure Functions for C2 communications.

The final payload exfiltrates victim information via HTTPS POST requests to logsapi.azurewebsites[.]net/api/logs, disguising malicious traffic as legitimate cloud service calls.

The XML-formatted data includes system details such as computer and user names, operating system version, system uptime, and running processes.

Hosting C2 on a serverless platform complicates defensive measures, as blocking the domain risks disrupting genuine Azure services.

A related sample sharing the same import hash was uploaded from Singapore on September 5, 2025, suggesting the campaign’s reach extends beyond a single region.

Security researchers continue to dissect the payload to reveal additional capabilities and indicators of compromise that will aid in detecting and mitigating this emerging threat.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post New Malware Abuses Azure Functions to Host C2 Infrastructure appeared first on Cyber Security News.