Attackers obtain remote code execution through abuse of SQL-server environments (exploitation, SQL injection, or credential compromise) and attempt to install web shells. When detection (e.g., endpoint AV) blocks the web-shell stage they escalate to a multi-stage DLL loader chain. The first-stage DLLs are placed in System32 under legitimate-looking names (e.g., wlbsctrl.dll, TSMSISrv.dll, oci.dll) to guarantee startup loading (Phantom DLL Hijack). Loaders use inflated file overlays (>60–100 MB), adapter-MAC 32-bit hash checks and staged AES/Base64 payload files on disk to ensure execution only on intended hosts and to frustrate sandboxing and signature detection.
Final payloads include the Neursite backdoor (C2 via TCP/SSL/HTTP/HTTPS, proxy/lateral-movement modules, plugin support for shells/files/sockets) and NeuralExecutor (.NET backdoor able to fetch and execute additional assemblies, using ConfuserEx obfuscation and Dead-Drop Resolver from GitHub). Variants show use of process injection (WmiPrvSE/msiexec), VMProtect obfuscation, and occasional reuse of DLLs/PDB strings tied to other activity (e.g., imjp14k.dll), complicating attribution.