We did not observe the threat actors using this method in this attack; however, it is possible that the threat actors could use the “DownFileS.dll” or “FileManagerS.dll” plugins obtained from the C2 to install plugins that use this loading method. Connection to Watering Hole Attack and Chinese Threat Actors As previously mentioned, the malware author signed the 3102 sample delivered in the attacks
![Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media](https://cdn-ak-scissors.b.st-hatena.com/image/square/25fde7dbe8ef76f5c08022c072768d93e6946b62/height=288;version=1;width=512/http%3A%2F%2Fblog.paloaltonetworks.com%2Fwp-content%2Fuploads%2F2015%2F09%2Ffigure-1-500x546.png)