Hijack Execution Flow: DLL

Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.[1]

Specific ways DLLs are abused by adversaries include:

DLL Sideloading

Adversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads by planting and then invoking a legitimate application that executes their payload(s).

Side-loading positions both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.

Adversaries may also side-load other packages, such as BPLs (Borland Package Library).[2]

DLL Search Order Hijacking

Adversaries may execute their own malicious payloads by hijacking the search order that Windows uses to load DLLs. This search order is a sequence of special and standard search locations that a program checks when loading a DLL. An adversary can plant a trojan DLL in a directory that will be prioritized by the DLL search order over the location of a legitimate library. This will cause Windows to load the malicious DLL when it is called for by the victim program.[1]

DLL Redirection

Adversaries may directly modify the search order via DLL redirection, which after being enabled (in the Registry or via the creation of a redirection file) may cause a program to load a DLL from a different location.[3][4]

Phantom DLL Hijacking

Adversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.[5][6]

DLL Substitution

Adversaries may target existing, valid DLL files and substitute them with their own malicious DLLs, planting them with the same name and in the same location as the valid DLL file.[7]

Programs that fall victim to DLL hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace, evading defenses.

Remote DLL hijacking can occur when a program sets its current directory to a remote location, such as a Web share, before loading a DLL.[8][9]

If a valid DLL is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation.

ID: T1574.001
Sub-technique of:  T1574
Platforms: Windows
Contributors: Ami Holeston, CrowdStrike; Marina Liang; Stefan Kanthak; Travis Smith, Tripwire; Wietze Beukema @Wietze; Will Alexander, CrowdStrike
Version: 2.0
Created: 13 March 2020
Last Modified: 16 April 2025

Procedure Examples

ID Name Description
G0073 APT19

APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.[10]

G0022 APT3

APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.[11][12]

G0050 APT32

APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).[13][14][15]

G0096 APT41

APT41 has used search order hijacking to execute malicious payloads, such as Winnti for Windows.[16] APT41 has also used legitimate executables to perform DLL side-loading of their malware.[17]

C0040 APT41 DUST

APT41 DUST involved the use of DLL search order hijacking to execute DUSTTRAP.[18] APT41 DUST used also DLL side-loading to execute DUSTTRAP via an AhnLab uninstaller.[18]

G0143 Aquatic Panda

Aquatic Panda has used DLL search-order hijacking to load exe, dll, and dat files into memory.[19] Aquatic Panda loaded a malicious DLL into the legitimate Windows Security Health Service executable (SecurityHealthService.exe) to execute malicious code on victim systems.[20]

S0373 Astaroth

Astaroth can launch itself via DLL Search Order Hijacking.[21]

G0135 BackdoorDiplomacy

BackdoorDiplomacy has executed DLL search order hijacking.[22]

S0128 BADNEWS

BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.[23][24]

S0127 BBSRAT

DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable, ssonsvr.exe. The Citrix executable was dropped along with BBSRAT by the dropper.[25]

G0098 BlackTech

BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.[26]

S0415 BOOSTWRITE

BOOSTWRITE has exploited the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll.[27]

G0060 BRONZE BUTLER

BRONZE BUTLER has used legitimate applications to side-load malicious DLLs.[28]

S1063 Brute Ratel C4

Brute Ratel C4 has used search order hijacking to load a malicious payload DLL as a dependency to a benign application packaged in the same ISO.[29] Brute Ratel C4 has loaded a malicious DLL by spoofing the name of the legitimate Version.DLL and placing it in the same folder as the digitally-signed Microsoft binary OneDriveUpdater.exe.[29]

S0631 Chaes

Chaes has used search order hijacking to load a malicious DLL.[30]

G0114 Chimera

Chimera has used side loading to place malicious DLLs in memory.[31]

S1041 Chinoxy

Chinoxy can use a digitally signed binary ("Logitech Bluetooth Wizard Host Process") to load its dll into memory.[32]

G1021 Cinnamon Tempest

Cinnamon Tempest has used search order hijacking to launch Cobalt Strike Beacons.[33][34] Cinnamon Tempest has also abused legitimate executables to side-load weaponized DLLs.[35]

S0660 Clambling

Clambling can store a file named mpsvc.dll, which opens a malicious mpsvc.mui file, in the same folder as the legitimate Microsoft executable MsMpEng.exe to gain execution.[36][37]

S0538 Crutch

Crutch can persist via DLL search order hijacking on Google Chrome, Mozilla Firefox, or Microsoft OneDrive.[38]

G1034 Daggerfly

Daggerfly has used legitimate software to side-load PlugX loaders onto victim systems.[39] Daggerfly is also linked to multiple other instances of side-loading for initial loading activity.[40]

S1111 DarkGate

DarkGate includes one infection vector that leverages a malicious "KeyScramblerE.DLL" library that will load during the execution of the legitimate KeyScrambler application.[41]

S0354 Denis

Denis exploits a security vulnerability to load a fake DLL and execute its code.[13]

S0134 Downdelph

Downdelph uses search order hijacking of the Windows executable sysprep.exe to escalate privileges.[42]

S0384 Dridex

Dridex can abuse legitimate Windows executables to side-load malicious DLL files.[43]

G1006 Earth Lusca

Earth Lusca has placed a malicious payload in %WINDIR%\SYSTEM32\oci.dll so it would be sideloaded by the MSDTC service.[44]

S0624 Ecipekac

Ecipekac can abuse the legitimate application policytool.exe to load a malicious DLL.[45]

S0554 Egregor

Egregor has used DLL side-loading to execute its payload.[46]

S0363 Empire

Empire contains modules that can discover and exploit various DLL hijacking opportunities.[47]

G0120 Evilnum

Evilnum has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder.[48]

G1016 FIN13

FIN13 has used IISCrack.dll as a side-loading technique to load a malicious version of httpodbc.dll on old IIS Servers (CVE-2001-0507).[49]

S0182 FinFisher

FinFisher uses DLL side-loading to load malicious programs.[50][51] A FinFisher variant also uses DLL search order hijacking.[50][52]

S0661 FoggyWeb

FoggyWeb's loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate version.dll during the Microsoft.IdentityServer.ServiceHost.exe execution process.[53]

G0093 GALLIUM

GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.[54]

S0032 gh0st RAT

A gh0st RAT variant has used DLL side-loading.[55]

S0477 Goopy

Goopy has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google.[14]

G0126 Higaisa

Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the OINFO12.OCX dynamic link library.[56]

S0009 Hikit

Hikit has used DLL to load oci.dll as a persistence mechanism.[57]

S0070 HTTPBrowser

HTTPBrowser abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll.[58] HTTPBrowser has also used DLL side-loading.[59]

S1097 HUI Loader

HUI Loader can be deployed to targeted systems via legitimate programs that are vulnerable to DLL search order hijacking.[34]

S0398 HyperBro

HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.[60][61]

S0260 InvisiMole

InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.[62]

S0528 Javali

Javali can use DLL side-loading to load malicious DLLs into legitimate executables.[21]

S0585 Kerrdown

Kerrdown can use DLL side-loading to load malicious DLLs.[63]

G0032 Lazarus Group

Lazarus Group has replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL to download and execute a payload.[64] Lazarus Group utilized DLL side-loading to execute malicious payloads through abuse of the legitimate processes wsmprovhost.exe and dfrgui.exe.[65]

S1101 LoFiSe

LoFiSe has been executed as a file named DsNcDiag.dll through side-loading.[66]

S0582 LookBack

LookBack side loads its communications module as a DLL into the libcurl.dll loader.[67]

G1014 LuminousMoth

LuminousMoth has used legitimate executables such as winword.exe and igfxem.exe to side-load their malware.[68][69]

S1213 Lumma Stealer

Lumma Stealer has leveraged legitimate applications to then side-load malicious DLLs during execution.[70]

S0530 Melcoz

Melcoz can use DLL hijacking to bypass security controls.[21]

G0045 menuPass

menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.[71][72][73] menuPass has also used DLL search order hijacking.[74]

S1059 metaMain

metaMain can support an HKCMD sideloading start method.[75]

S0455 Metamorfo

Metamorfo has side-loaded its malicious DLL file.[76][77][78]

S0280 MirageFox

MirageFox is likely loaded via DLL hijacking into a legitimate McAfee binary.[79]

G0069 MuddyWater

MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware.[80]

G0129 Mustang Panda

Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.[81][82][83]

G0019 Naikon

Naikon has used DLL side-loading to load malicious DLL's into legitimate executables.[84]

S0630 Nebulae

Nebulae can use DLL side-loading to gain execution.[85]

S1100 Ninja

Ninja loaders can be side-loaded with legitimate and signed executables including the VLC.exe media player.[66]

C0012 Operation CuckooBees

During Operation CuckooBees, the threat actors used the legitimate Windows services IKEEXT and PrintNotify to side-load malicious DLLs.[86]

S0664 Pandora

Pandora can use DLL side-loading to execute malicious payloads.[61]

G0040 Patchwork

A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.[87]

S1102 Pcexter

Pcexter has been distributed and executed as a DLL file named Vspmsg.dll via DLL side-loading.[66]

S0013 PlugX

PlugX has the ability to use DLL search order hijacking for installation on targeted systems.[88] PlugX has also used DLL side-loading to evade anti-virus.[12][59][89][71][90][36][91]

S0194 PowerSploit

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.[92][93]

S1046 PowGoop

PowGoop can side-load Goopdate.dll into GoogleUpdate.exe.[80][94]

S0113 Prikormka

Prikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.[95]

S0650 QakBot

QakBot has the ability to use DLL side-loading for execution.[96]

S0629 RainyDay

RainyDay can use side-loading to run malicious executables.[85]

S0458 Ramsay

Ramsay can hijack outdated Windows application dependencies with malicious versions of its own DLL payload.[97]

S1130 Raspberry Robin

Raspberry Robin can use legitimate, signed EXE files paired with malicious DLL files to load and run malicious payloads while bypassing defenses.[98]

S0662 RCSession

RCSession can be installed via DLL side-loading.[99][36][91]

C0047 RedDelta Modified PlugX Infection Chain Operations

Mustang Panda used DLL search order hijacking on vulnerable applications to install PlugX payloads during RedDelta Modified PlugX Infection Chain Operations.[100]

S0153 RedLeaves

RedLeaves is launched through use of DLL search order hijacking to load a malicious dll.[101]

G0048 RTM

RTM has used search order hijacking to force TeamViewer to load a malicious DLL.[102]

S0074 Sakula

Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.[103]

G1008 SideCopy

SideCopy has used a malicious loader DLL file to execute the credwiz.exe process and side-load the malicious payload Duser.dll.[104]

G0121 Sidewinder

Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.[105]

G1046 Storm-1811

Storm-1811 has deployed a malicious DLL (7z.DLL) that is sideloaded by a modified, legitimate installer (7zG.exe) when that installer is executed with an additional command line parameter of b at runtime to load a Cobalt Strike beacon payload.[106]

S1183 StrelaStealer

StrelaStealer has sideloaded a DLL payload using a renamed, legitimate msinfo32.exe executable.[107]

S0663 SysUpdate

SysUpdate can load DLLs through vulnerable legitimate executables.[61]

S0098 T9000

During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.[108]

G0027 Threat Group-3390

Threat Group-3390 has performed DLL search order hijacking to execute their payload.[109] Threat Group-3390 has also used DLL side-loading, including by using legitimate Kaspersky antivirus variants as well as rc.exe, a legitimate Microsoft Resource Compiler.[59][110][111][60][112]

G0131 Tonto Team

Tonto Team abuses a legitimate and signed Microsoft executable to launch a malicious DLL.[113]

G0081 Tropic Trooper

Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.[114][115]

G1047 Velvet Ant

Velvet Ant has used malicious DLLs executed via legitimate EXE files through DLL search order hijacking to launch follow-on payloads such as PlugX.[116]

S0612 WastedLocker

WastedLocker has performed DLL hijacking before execution.[117]

S0579 Waterbear

Waterbear has used DLL side loading to import and load a malicious DLL loader.[26]

S0109 WEBC2

Variants of WEBC2 achieve persistence by using DLL search order hijacking, usually by copying the DLL file to %SYSTEMROOT% (C:\WINDOWS\ntshrui.dll).[118]

G0107 Whitefly

Whitefly has used search order hijacking to run the loader Vcrodat.[119]

S0176 Wingbird

Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.[120][121]

S0230 ZeroT

ZeroT has used DLL side-loading to load malicious payloads.[122][123]

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance

When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.

M1047 Audit

Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses.[124]

Use the program sxstrace.exe that is included with Windows, along with manual inspection, to check manifest files for side-by-side problems in software.[125]

M1038 Execution Prevention

Identify and block potentially malicious software executed through DLL hijacking by using application control solutions capable of blocking DLLs loaded by legitimate software.[126]

M1044 Restrict Library Loading

Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.[127]

Enable Safe DLL Search Mode to move the user's current folder later in the search order. This is included by default in modern versions of Windows; the associated Windows Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode.[128]

M1051 Update Software

Update software regularly to include patches that fix DLL side-loading vulnerabilities.

Detection

ID Data Source Data Component Detects
DS0022 File File Creation

Monitor newly constructed .manifest and .local redirection files that do not correlate with software updates. Monitor for the creation of phantom DLL files.

File Modification

Monitor for changes made to .manifest / .local redirection files, or file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. To detect DLL substitution, monitor for changes made to DLLs in trusted locations, such as C:\Windows\System32.

DS0011 Module Module Load

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process (particularly known malicious ones), or that have the same file name but abnormal paths (e.g., loaded from a user-writable directory rather than a system one). Monitor DLLs loaded from remote locations.

DS0009 Process Process Creation

Monitor newly constructed processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs.

References

  1. Tom Fakterman, Chen Erlich, & Assaf Dahan. (2024, February 22). Intruders in the Library: Exploring DLL Hijacking. Retrieved January 30, 2025.
  2. Dave Truman. (2024, June 24). Novel Technique Combination Used In IDATLOADER Distribution. Retrieved January 30, 2025.
  3. Microsoft. (2023, October 12). Dynamic-link library redirection. Retrieved January 30, 2025.
  4. Microsoft. (2021, January 7). Manifests. Retrieved January 30, 2025.
  5. Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5. Retrieved August 14, 2024.
  6. falcon.overwatch.team. (2022, December 30). 4 Ways Adversaries Hijack DLLs — and How CrowdStrike Falcon OverWatch Fights Back. Retrieved January 30, 2025.
  7. Wietze Beukema. (2020, June 22). Hijacking DLLs in Windows. Retrieved April 8, 2025.
  8. OWASP. (n.d.). Binary Planting. Retrieved January 30, 2025.
  9. Microsoft. (2014, May 13). Microsoft Security Advisory 2269637: Insecure Library Loading Could Allow Remote Code Execution. Retrieved January 30, 2025.
  10. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
  11. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  12. Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
  13. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  14. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  15. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  16. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  17. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  18. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  19. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  20. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  21. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  22. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  23. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  24. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  25. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  26. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  27. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  28. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  29. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  30. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  31. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  32. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  33. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  34. Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.
  35. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
  36. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  37. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  38. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  39. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  40. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
  41. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  42. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  43. Red Canary. (2021, February 9). Dridex - Red Canary Threat Detection Report. Retrieved August 3, 2023.
  44. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  45. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  46. Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020.
  47. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  48. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  49. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  50. FinFisher. (n.d.). Retrieved September 12, 2024.
  51. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  52. Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
  53. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  54. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  55. Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.
  56. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
  57. Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved November 17, 2024.
  58. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  59. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  60. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  61. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  62. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  63. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
  64. Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved September 12, 2024.
  1. AhnLab ASEC. (2022, October 6). Lazarus Group Uses the DLL Side-Loading Technique (mi.dll). Retrieved January 7, 2025.
  2. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  3. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  4. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  5. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
  6. Cybereaon Security Services Team. (n.d.). Your Data Is Under New Lummanagement: The Rise of LummaStealer. Retrieved March 22, 2025.
  7. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  8. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  9. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  10. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  11. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  12. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  13. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  14. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  15. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
  16. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  17. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  18. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  19. Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.
  20. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  21. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  22. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  23. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  24. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  25. Stewart, A. (2014). DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry. Retrieved November 12, 2014.
  26. Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.
  27. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  28. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  29. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  30. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
  31. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  32. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
  33. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  34. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
  35. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  36. Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025.
  37. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  38. Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020.
  39. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  40. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  41. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  42. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
  43. DCSO CyTec Blog. (2022, November 8). #ShortAndMalicious: StrelaStealer aims for mail credentials. Retrieved December 31, 2024.
  44. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  45. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  46. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  47. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  48. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  49. Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021.
  50. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  51. Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020.
  52. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.
  53. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  54. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  55. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
  56. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  57. Microsoft. (2017, November 9). Backdoor:Win32/Wingbird.A!dha. Retrieved November 27, 2017.
  58. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  59. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  60. PowerSploit. (n.d.). Retrieved December 4, 2014.
  61. Gerend, J. et al.. (2017, October 16). sxstrace. Retrieved April 26, 2021.
  62. Microsoft. (2024, October 1). DLL rules in AppLocker. Retrieved April 10, 2025.
  63. Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.
  64. Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.