DLL Side-Loading

Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests [1] are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. [2]

Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.

ID: T1073

Tactic: Defense Evasion

Platform:  Windows

Data Sources:  Process use of network, Process monitoring, Loaded DLLs

Defense Bypassed:  Process whitelisting, Anti-virus

Version: 1.0



APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.[3]


APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.[4][5]


APT32 ran genuinely-signed executables from Symantec and McAfee which loaded a malicious DLL called rastls.dll.[6]


BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.[7][8]


DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable ssonsvr.exe which is vulnerable to the technique. The Citrix executable was dropped along with BBSRAT by the dropper.[9]


FinFisher uses DLL side-loading to load malicious programs.[10][11]


A gh0st variant has used DLL side-loading.[12]


HTTPBrowser has used DLL side-loading.[13]


menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.[14][15]


OwaAuth has been loaded onto Exchange servers and disguised as an ISAPI filter (DLL file). The IIS w3wp.exe process then loads the malicious DLL.[13]


A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.[16]


PlugX has used to use DLL side-loading to evade anti-virus and to maintain persistence on a victim.[5][13][2][14][17]


Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.[18]


During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.[19]

Threat Group-3390

Threat Group-3390 actors have used DLL side-loading. Actors have used legitimate Kaspersky anti-virus variants in which the DLL acts as a stub loader that loads and executes the shell code.[13][20][21]


Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.[22][23]


ZeroT has used DLL side-loading to load malicious payloads.[24][25]


Update software regularly. Install software in write-protected locations. Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.


Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track DLL metadata, such as a hash, and compare DLLs that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.