Delphos LabsDelphos Labs

Jul 14, 2026

·
Security Research

Threat Intel: libpsl-5.dll. A 55MB Sideloading DLL Undetected by 60+ AV Engines for Six Days

A 55MB DLL disguised as a 200KB library, carrying code that overlaps several known info-stealer families. It went undetected by 60+ engines for six days.

Evgeny Pinchuk
EP
Evgeny Pinchuk
Cover ImageCover Image
On July 7, 2026, we analyzed a 55MB file uploaded to MalwareBazaar that, at the time, sat at zero detections across more than sixty antivirus engines. We identified code patterns associated with multiple known info-stealer families in a single file built to sideload inside a trusted application. It was disguised as libpsl-5.dll, the legitimate Public Suffix List library. The real library is approximately 200KB; this one is 275 times larger. We determined this from the binary alone, without sandbox detonation, a prior signature, or a threat intel feed.
The analysis was fully automated, with no human intervention.
It sat at zero detections from its July 7 upload through July 13. On July 14, engines began flagging it (ReversingLabs, Kaspersky, VMRay, and others). Whether the family overlaps reflect shared code lineage or deliberately bundled modules is unresolved. What is not in question is the window: for six days, a file carrying multiple stealer families ran clean before the vendors caught up.

Why did a 55MB DLL slip past 60+ AV engines for six days?

The bloated size is the primary evasion mechanism. That size is not incidental: many antivirus engines skip files above a size threshold for performance, and automated sandboxes frequently cap submissions well below 55MB. An oversized file quietly falls outside the range that many tools scan at all. The malicious logic is then diluted across megabytes of surrounding code, lowering the per-byte density that signature scanners rely on.
The rest of the evasion compounds the size advantage. DLLs are scanned less aggressively than executables in many products. The C2 addresses are encrypted rather than stored as plaintext, so string scanners find no obvious network indicators, and the function and type names are randomized, denying the pattern hooks that static tooling looks for.
No single layer is novel. Stacked together, they kept a credential stealer at zero detections for six days before any engine caught up.

What did the sample reveal?

 
Field
Value
SHA256
d3346faf3462420c1abbee24a543e73cb14ec3f3b5bde2848dd4e5c36b18a799
MD5
8f1fb062aaff182dd250e35eacea129b
Original filename
libpsl-5.dll
Size
55 MB (56,476 KB)
Type
PE64 DLL (x86_64, Windows)
First seen
2026-07-07 07:55 UTC
Reporter
JAMESWT_WT
Vendor detections
0 of 60+ at analysis (July 7); first detections July 14
 
The filename is the delivery mechanism: libpsl-5.dll impersonates the Public Suffix List library, a common dependency in networking software. This is a textbook DLL sideloading setup: place the malicious file alongside a legitimate application that loads libpsl-5.dll, and Windows' library search order causes the trusted application to load the attacker's DLL first, running the malicious code with the application's own trust level and permissions.
Static and dynamic analysis surfaced capabilities no suffix-list library would ever need:
 
Category
Indicators
Process injection
VirtualAllocEx, WriteProcessMemory, NtCreateThreadEx
Persistence
Registry modifications, service installation
Cryptography
RSA key material, GCM mode references, custom XOR
Evasion
AddVectoredExceptionHandler (anti-debug), SwitchToThread (timing)
Network
WS2_32.dll and Iphlpapi.dll imports (network interface enumeration)
Delivery
Masquerades as the legitimate libpsl-5.dll library name
 
A public-suffix-list library has no legitimate need to inject into other processes, install services, or carry its own crypto. Every one of these capabilities is incongruous with the name on the file.

One stealer, or many?

 
The binary matches strings and code patterns associated with multiple known info-stealer families:
 
Family
Evidence
Lumma
String and code patterns matching Lumma Stealer
Amadey
Loader and dropper patterns consistent with the Amadey botnet
Raccoon
Credential-harvesting routines matching Raccoon Stealer v2
Vidar
Browser data extraction patterns (cookies, passwords, autofill)
Stealc
Clipboard monitoring and crypto wallet targeting
RisePro
Network exfiltration patterns
Meduza
Token and session theft patterns
Rhadamanthys
Memory injection techniques matching the Rhadamanthys loader
 
These overlaps have more than one possible explanation, and the evidence does not yet distinguish between them:
  • Shared code lineage: several of these families already share ancestry (for example, Stealc reuses code from Vidar and Raccoon), so overlapping patterns may reflect common heritage rather than deliberately combined modules.
  • A stealer builder or packer output: a builder tool that combines modules from multiple families into deployable artifacts, selecting capabilities per campaign.
  • A shared loader framework: a common loader used by multiple stealer operators, accumulating techniques over time.
  • A MaaS (malware-as-a-service) platform artifact: a commercial service offering mix-and-match stealer capabilities.
JAMESWT_WT, a known malware researcher who regularly submits high-value samples, uploaded this sample. That reinforces it is an active threat, likely captured from a live campaign.

How did we detect it?

No antivirus signatures, YARA rules, or prior knowledge of this sample were used. The initial detection came from structural and behavioral anomalies, not signatures. A 55MB DLL named after a 200KB library is an immediate structural anomaly. Its import table pairs process-injection APIs with network enumeration, which makes no sense for a suffix-list library and much sense for a loader. Behavioral classification mapped the capabilities (injection, persistence, cryptography, network) to a loader and injector profile, and dynamic analysis confirmed API call patterns consistent with that behavior. The encrypted configuration was recovered through custom decryption rather than string scanning. The family associations came later, through code-pattern comparison against known stealer families, a separate step from the signature-free detection itself.
This DLL's size and name that defeat signature scanners are exactly the anomalies that make behavioral analysis suspicious in the first place.

What should defenders hunt for?

  • Alert on any libpsl*.dll larger than 1MB. The legitimate library is about 200KB, so anything an order of magnitude larger is worth investigating.
  • Monitor for DLL sideloading where legitimate applications load anomalously large libraries.
  • Flag PE64 DLLs that carry process-injection imports (VirtualAllocEx, WriteProcessMemory, NtCreateThreadEx) but do not match known security tooling.
  • Apply file-size-ratio analysis as a standing signal: a DLL many times larger than its legitimate counterpart is worth a second look.

Indicators of compromise

  • SHA256: d3346faf3462420c1abbee24a543e73cb14ec3f3b5bde2848dd4e5c36b18a799
  • MD5: 8f1fb062aaff182dd250e35eacea129b
  • Filename: libpsl-5.dll (56,476 KB, anomalously large; legitimate libpsl is ~200KB)
  • Type: PE64 DLL, x86_64
  • Sideloading indicator: any application loading libpsl-5.dll where the file exceeds ~1MB
  • Suspicious imports for this library: VirtualAllocEx, WriteProcessMemory, NtCreateThreadEx, AddVectoredExceptionHandler

MITRE ATT&CK

T1574.002 Hijack Execution Flow: DLL Side-Loading; T1055.001 Process Injection: Dynamic-link Library Injection; T1027.001 Obfuscated Files or Information: Binary Padding; T1497 Virtualization/Sandbox Evasion; T1555 Credentials from Password Stores; T1539 Steal Web Session Cookie; T1115 Clipboard Data; T1056 Input Capture.

What this tells us about oversized samples

Size is usually treated as a performance problem for scanners, not a threat signal. This sample inverts that: the 55MB bulk is the evasion technique, chosen precisely because so much of the defensive stack treats large files as low-priority or out of scope. As attackers learn which size ranges tools quietly skip, oversized artifacts become a reliable way to stay undetected while defenses race to catch up.
Closing that gap means treating a file's structure as evidence in its own right, so that a 200KB library arriving as 55MB is a question worth asking before anything runs.

This sample was analyzed on the Delphos Labs platform using static and dynamic analysis, including custom decryption of the sample's configuration. No antivirus signatures or YARA rules were used to detect this sample.
Analyze a file here.

Company

About UsBlogSecurity Trust CenterBug Bounty ProgramVulnerability Research Policy

Account

Privacy PolicyTerms of Service

Help & Feedback

Contact SupportEmail Us

Social

LinkedInX

Copyright © 2026 Delphos Labs Inc.