The Yokai Backdoor Campaign is a sophisticated cyberattack leveraging DLL side-loading and LNK file-based techniques to infect systems and deploy a custom backdoor for persistent control. This report analyzes the campaign's attack chain, focusing on the use of Alternate Data Streams (ADS) embedded within LNK files to evade detection. The methods observed reflect growing adversarial sophistication in blending social engineering and file-based stealth techniques.
Recent discoveries further elucidate the intricacies of the attack. The Netskope team identified that a legitimate iTop Data Recovery application was abused to side-load the previously undocumented Yokai backdoor. This campaign stands as a testament to the evolving ingenuity of threat actors.