Security Research
Threat Intel: libpsl-5.dll. A 55MB Sideloading DLL Undetected by 60+ AV Engines for Six Days
A 55MB DLL disguised as a 200KB library, carrying code that overlaps several known info-stealer families. It went undetected by 60+ engines for six days.

On July 7, 2026, we analyzed a 55MB file uploaded to MalwareBazaar that, at the time, sat at zero detections across more than sixty antivirus engines. We identified code patterns associated with multiple known info-stealer families in a single file built to sideload inside a trusted application. It was disguised as libpsl-5.dll, the legitimate Public Suffix List library. The real library is approximately 200KB; this one is 275 times larger. We determined this from the binary alone, without sandbox detonation, a prior signature, or a threat intel feed.
The analysis was fully automated, with no human intervention.
It sat at zero detections from its July 7 upload through July 13. On July 14, engines began flagging it (ReversingLabs, Kaspersky, VMRay, and others). Whether the family overlaps reflect shared code lineage or deliberately bundled modules is unresolved. What is not in question is the window: for six days, a file carrying multiple stealer families ran clean before the vendors caught up.
Why did a 55MB DLL slip past 60+ AV engines for six days?
The bloated size is the primary evasion mechanism. That size is not incidental: many antivirus engines skip files above a size threshold for performance, and automated sandboxes frequently cap submissions well below 55MB. An oversized file quietly falls outside the range that many tools scan at all. The malicious logic is then diluted across megabytes of surrounding code, lowering the per-byte density that signature scanners rely on.
The rest of the evasion compounds the size advantage. DLLs are scanned less aggressively than executables in many products. The C2 addresses are encrypted rather than stored as plaintext, so string scanners find no obvious network indicators, and the function and type names are randomized, denying the pattern hooks that static tooling looks for.
No single layer is novel. Stacked together, they kept a credential stealer at zero detections for six days before any engine caught up.
What did the sample reveal?
Field | Value |
SHA256 | d3346faf3462420c1abbee24a543e73cb14ec3f3b5bde2848dd4e5c36b18a799 |
MD5 | 8f1fb062aaff182dd250e35eacea129b |
Original filename | libpsl-5.dll |
Size | 55 MB (56,476 KB) |
Type | PE64 DLL (x86_64, Windows) |
First seen | 2026-07-07 07:55 UTC |
Reporter | JAMESWT_WT |
Vendor detections | 0 of 60+ at analysis (July 7); first detections July 14 |
The filename is the delivery mechanism: libpsl-5.dll impersonates the Public Suffix List library, a common dependency in networking software. This is a textbook DLL sideloading setup: place the malicious file alongside a legitimate application that loads libpsl-5.dll, and Windows' library search order causes the trusted application to load the attacker's DLL first, running the malicious code with the application's own trust level and permissions.
Static and dynamic analysis surfaced capabilities no suffix-list library would ever need:
Category | Indicators |
Process injection | VirtualAllocEx, WriteProcessMemory, NtCreateThreadEx |
Persistence | Registry modifications, service installation |
Cryptography | RSA key material, GCM mode references, custom XOR |
Evasion | AddVectoredExceptionHandler (anti-debug), SwitchToThread (timing) |
Network | WS2_32.dll and Iphlpapi.dll imports (network interface enumeration) |
Delivery | Masquerades as the legitimate libpsl-5.dll library name |
A public-suffix-list library has no legitimate need to inject into other processes, install services, or carry its own crypto. Every one of these capabilities is incongruous with the name on the file.
One stealer, or many?
The binary matches strings and code patterns associated with multiple known info-stealer families:
Family | Evidence |
Lumma | String and code patterns matching Lumma Stealer |
Amadey | Loader and dropper patterns consistent with the Amadey botnet |
Raccoon | Credential-harvesting routines matching Raccoon Stealer v2 |
Vidar | Browser data extraction patterns (cookies, passwords, autofill) |
Stealc | Clipboard monitoring and crypto wallet targeting |
RisePro | Network exfiltration patterns |
Meduza | Token and session theft patterns |
Rhadamanthys | Memory injection techniques matching the Rhadamanthys loader |
These overlaps have more than one possible explanation, and the evidence does not yet distinguish between them:
- Shared code lineage: several of these families already share ancestry (for example, Stealc reuses code from Vidar and Raccoon), so overlapping patterns may reflect common heritage rather than deliberately combined modules.
- A stealer builder or packer output: a builder tool that combines modules from multiple families into deployable artifacts, selecting capabilities per campaign.
- A shared loader framework: a common loader used by multiple stealer operators, accumulating techniques over time.
- A MaaS (malware-as-a-service) platform artifact: a commercial service offering mix-and-match stealer capabilities.
JAMESWT_WT, a known malware researcher who regularly submits high-value samples, uploaded this sample. That reinforces it is an active threat, likely captured from a live campaign.
How did we detect it?
No antivirus signatures, YARA rules, or prior knowledge of this sample were used. The initial detection came from structural and behavioral anomalies, not signatures. A 55MB DLL named after a 200KB library is an immediate structural anomaly. Its import table pairs process-injection APIs with network enumeration, which makes no sense for a suffix-list library and much sense for a loader. Behavioral classification mapped the capabilities (injection, persistence, cryptography, network) to a loader and injector profile, and dynamic analysis confirmed API call patterns consistent with that behavior. The encrypted configuration was recovered through custom decryption rather than string scanning. The family associations came later, through code-pattern comparison against known stealer families, a separate step from the signature-free detection itself.
This DLL's size and name that defeat signature scanners are exactly the anomalies that make behavioral analysis suspicious in the first place.
What should defenders hunt for?
- Alert on any
libpsl*.dlllarger than 1MB. The legitimate library is about 200KB, so anything an order of magnitude larger is worth investigating.
- Monitor for DLL sideloading where legitimate applications load anomalously large libraries.
- Flag PE64 DLLs that carry process-injection imports (VirtualAllocEx, WriteProcessMemory, NtCreateThreadEx) but do not match known security tooling.
- Apply file-size-ratio analysis as a standing signal: a DLL many times larger than its legitimate counterpart is worth a second look.
Indicators of compromise
- SHA256:
d3346faf3462420c1abbee24a543e73cb14ec3f3b5bde2848dd4e5c36b18a799
- MD5:
8f1fb062aaff182dd250e35eacea129b
- Filename:
libpsl-5.dll(56,476 KB, anomalously large; legitimate libpsl is ~200KB)
- Type: PE64 DLL, x86_64
- Sideloading indicator: any application loading
libpsl-5.dllwhere the file exceeds ~1MB
- Suspicious imports for this library: VirtualAllocEx, WriteProcessMemory, NtCreateThreadEx, AddVectoredExceptionHandler
MITRE ATT&CK
T1574.002 Hijack Execution Flow: DLL Side-Loading; T1055.001 Process Injection: Dynamic-link Library Injection; T1027.001 Obfuscated Files or Information: Binary Padding; T1497 Virtualization/Sandbox Evasion; T1555 Credentials from Password Stores; T1539 Steal Web Session Cookie; T1115 Clipboard Data; T1056 Input Capture.
What this tells us about oversized samples
Size is usually treated as a performance problem for scanners, not a threat signal. This sample inverts that: the 55MB bulk is the evasion technique, chosen precisely because so much of the defensive stack treats large files as low-priority or out of scope. As attackers learn which size ranges tools quietly skip, oversized artifacts become a reliable way to stay undetected while defenses race to catch up.
Closing that gap means treating a file's structure as evidence in its own right, so that a 200KB library arriving as 55MB is a question worth asking before anything runs.
This sample was analyzed on the Delphos Labs platform using static and dynamic analysis, including custom decryption of the sample's configuration. No antivirus signatures or YARA rules were used to detect this sample.
Analyze a file here.
