{ "id": "e682d6fd-1c31-4e65-9bab-cbae7c77b8e3", "created_at": "2026-04-06T00:12:35.551777Z", "updated_at": "2026-04-10T03:37:32.71917Z", "deleted_at": null, "sha1_hash": "a421ba538443db52674fe2a7997625ceb05e015c", "title": "Intruders in the Library: Exploring DLL Hijacking", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1767143, "plain_text": "Intruders in the Library: Exploring DLL Hijacking\r\nBy Tom Fakterman, Chen Erlich, Assaf Dahan\r\nPublished: 2024-02-23 · Archived: 2026-04-05 15:12:23 UTC\r\nExecutive Summary\r\nDynamic-link library (DLL) hijacking is one of the oldest techniques that both threat actors and offensive security\r\nprofessionals continue to use today. DLL hijacking is popular because it grants threat actors a stealthy way to run\r\nmalware that can be very effective at evading detection. At its core, DLL hijacking tricks an operating system into\r\nrunning a malicious binary instead of a legitimate DLL.\r\nThis article explains how threat actors use DLL hijacking in malware attacks, and it should help readers by\r\nproviding:\r\nTheoretical background necessary to understand DLL hijacking\r\nExplanations that demystify some of the concepts around this technique\r\nCommon variations seen in the wild\r\nReal-world examples from both advanced persistent threat (APT) and cybercrime threat actors\r\nThis article also provides ideas for how to better detect DLL hijacking, and we share best practices on how to\r\nreduce the risk of attack.\r\nPalo Alto Networks customers are better protected from the threats discussed in this article through our Next-Generation Firewall, as well as Advanced WildFire, DNS Security, and Advanced URL Filtering. Cortex XDR and\r\nXSIAM detect known and novel DLL hijacking attacks. The Prisma Cloud Defender agent can assist in\r\nidentifying malware that uses DLL hijacking techniques. If you think you might have been compromised or have\r\nan urgent matter, contact the Unit 42 Incident Response team.\r\nWhat Is DLL Hijacking?\r\nDLL files are programs that are meant to be run by other programs in Microsoft Windows. DLL hijacking allows\r\nattackers to trick a legitimate Windows program into loading and running a malicious DLL. Adversaries leverage\r\nDLL hijacking for multiple purposes, including defense evasion, privilege escalation and persistence.\r\nDLL hijacking has evolved, with many variations over the past several years. To understand DLL hijacking, we\r\nmust first understand the DLL search order mechanism, which is a crucial function in Microsoft Windows.\r\nWindows DLL Search Order\r\nDLL hijacking relies on the DLL search order that Windows uses when loading DLL files. This search order is a\r\nsequence of locations a program checks when loading a DLL. The sequence can be divided into two parts: special\r\nsearch locations and standard search locations. You can find the search order comprising both parts in Figure 1.\r\nhttps://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nPage 1 of 15\n\nFigure 1. Flow chart of the Windows DLL search order.\r\nSpecial Search Locations\r\nSpecial search locations are taken into account before the standard search locations, and they contain different\r\nfactors that can control the locations to be searched and used to load a DLL. These locations are based on the\r\napplication and the system configurations.\r\n1. DLL redirection allows specifying which DLL should be loaded by the DLL loader\r\n2. API sets allows dynamically routing function calls to the appropriate DLL based on the version of\r\nWindows and the availability of different features\r\n3. SxS manifest redirection redirects DLL loading by using application manifests\r\n4. Loaded-module list verifies whether the DLL is already loaded into memory\r\n5. Known DLLs checks whether the DLL name and path match the Windows list of known DLLs. This list\r\nresides in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session\r\nhttps://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nPage 2 of 15\n\nManager\\KnownDLLs\r\n6. The package dependency graph of the process, in case it was executed as part of a packaged app\r\nStandard Search Locations\r\nThe standard search locations are the ones most associated with the DLL hijacking technique, and they will\r\nusually be used by adversaries. Windows will use the following order to search for the desired DLL.\r\n1. The application’s directory (the directory containing the executable)\r\n2. C:\\Windows\\System32\r\n3. C:\\Windows\\System\r\n4. C:\\Windows\r\n5. The current directory (the directory from which we execute the executable)\r\n6. Directories listed in the PATH environment variable\r\nHijacking this whole DLL search order will grant an adversary the option to load their malicious DLL within the\r\ncontext of a legitimate application and achieve stealthy execution. They can do this by triggering a malicious DLL\r\nto load before the valid one, replacing the DLL or by altering the order (specifically the PATH environment\r\nvariable).\r\nThe prevalence of DLL hijacking has been on the rise in recent years, and DLL hijacking continues to gain\r\npopularity. This is because discovering and exploiting the vulnerability in legitimate executables isn't considered\r\nto be particularly difficult. However, detecting an attacker loading malicious, camouflaged DLLs within legitimate\r\nexecutables remains a complex undertaking.\r\nCommon DLL Hijacking Implementations\r\nAs the concept of DLL hijacking continues to evolve over time, threat actors have evolved as well, using different\r\napproaches to perform this kind of attack. The three most common techniques we have observed are DLL side-loading, DLL search order hijacking and phantom DLL loading. The most common technique is DLL side-loading.\r\nDLL Side-Loading\r\nIn this most commonly used DLL-hijacking technique, an attacker obtains a legitimate executable that loads a\r\nspecifically named DLL without specifying the DLL file's full directory path. DLL side-loading uses a malicious\r\nDLL renamed to the same filename of a legitimate DLL, one normally used by a legitimate executable. Attackers\r\ndrop the legitimate executable and a malicious, renamed DLL within a directory they have access to.\r\nIn DLL side-loading, the attackers rely on the fact that the executable’s directory is one of the first locations\r\nWindows searches for.\r\nWe have studied examples of attackers employing this technique in recent Unit 42 posts, including an instance by\r\nthe APT Cloaked Ursa (aka APT29), and as part of our Threat Hunting series.\r\nDLL Search Order Hijacking\r\nhttps://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nPage 3 of 15\n\nThis implementation exemplifies the core abuse of the entire Windows DLL search order. It is used by adversaries,\r\nred teamers and security validation solutions.\r\nThis technique simply leverages the Windows DLL search order to drop a malicious DLL in any of its searched\r\nlocations that would cause a vulnerable, legitimate program to execute a malicious DLL. An attacker can place a\r\nmalicious DLL in a location prioritized by the DLL search order before the location of a valid DLL. This can\r\nhappen at any point in the DLL search order, including the PATH environment variable, which attackers can\r\nmodify by adding a path directory with a malicious DLL.\r\nAn example of this type of attack is to drop a malicious DLL in a Python installation directory to hijack the DLL\r\nsearch order. This is an implementation that different security practitioners have already demonstrated.\r\nWhen Python is installed on a Windows machine, it often adds its installation directory to the PATH environment\r\nvariable, usually in one of the first searched locations, as shown in Figure 2.\r\nFigure 2. Python folders in the PATH environment variable.\r\nInstalling Python on a Windows host creates a directory with relaxed permissions, allowing any authenticated user\r\n(including unprivileged ones) to write to this location. This gives attackers the best conditions to execute their\r\nDLL search order hijack attack and infect the targeted machine.\r\nPhantom DLL Loading\r\nIn this technique, adversaries look for a vulnerable executable that attempts to load a DLL that simply doesn't\r\nexist (or is missing) due to an implementation bug. Then, attackers will plant a malicious DLL with the non-existent DLL’s filename in its expected location.\r\nA familiar example of this technique is the abuse of the Windows Search (WSearch) Service. This service is\r\nresponsible for search operations and it launches with SYSTEM privileges upon system startup.\r\nWhen this service starts, it executes SearchIndexer.exe and SearchProtocolHost.exe, which both attempt to load\r\nmsfte.dll from System32. In default Windows installations, the file does not exist in this location.\r\nAn adversary can plant their malicious DLL if they can write to the System32 folder or an alternate DLL search\r\norder location, or insert another attacker-controlled location into the PATH environment variable. This allows\r\nhttps://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nPage 4 of 15\n\nthem to gain a stealthy pathway for execution with SYSTEM privileges, and a means to maintain persistence on\r\nthe machine.\r\nUncovering Threat Actors and Campaigns\r\nUsing our telemetry, we set out to hunt for DLL hijacking attacks, which revealed a large volume of attempted\r\nDLL hijacking attacks – including their variations. The following section provides real-world examples of how\r\nvarious threat actors, both cybercrime and nation-state APT groups, use DLL hijacking.\r\nExamples of DLL Hijacking by Nation-State APT Threat Actors\r\nToneShell’s Triple DLL Side-Loading\r\nIn September 2023, Unit 42 researchers discovered attackers using DLL side-loading to install the ToneShell\r\nbackdoor. Attacks using a ToneShell variant were linked to Stately Taurus, in a campaign that built upon three\r\nDLL components working in tandem as shown in Figure 3. In the image, each component has been paired with its\r\nassociated Image Load event in Cortex. The action type shows that the malicious DLLs were loaded to each\r\nlegitimate process.\r\nFigure 3. ToneShell process tree in Cortex XDR.\r\nEach DLL component holds a different purpose:\r\nPersistence components (nw.dll, nw_elf.dll): These DLLs are in charge of persistence for the backdoor,\r\nas well as dropping the other components to disk.\r\nNetworking component (rw32core.dll): This DLL is in charge of command and control (C2)\r\ncommunication.\r\nFunctionality component (secur32.dll): This DLL is in charge of executing the different commands of\r\nthe backdoor.\r\nThe persistence components (nw.dll, nw_elf.dll) are side-loaded by PwmTower.exe, a component of a password\r\nmanager, which is a legitimate security tool.\r\nThe networking component (rw32core.dll) is side-loaded by Brcc32.exe, the resource compiler of Embarcadero,\r\nan app development tool.\r\nhttps://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nPage 5 of 15\n\nThe functionality component (secur32.dll) is side-loaded by Consent.exe, which is a Windows binary described as\r\n“Consent UI for administrative applications.”\r\nPlugX RAT Leverages DLL Side-Loading to Remain Undetected\r\nAnother recent example of a DLL side-loading alert that caught our attention was an attack using the infamous\r\nPlugX backdoor.\r\nPlugX is a modular backdoor that is predominantly used by various Chinese APT groups like PKPLUG. PlugX\r\ndevelopers circulate in underground hacking communities, and the malware binaries can be found online, so non-Chinese threat actors can also use PlugX.\r\nIn the following example, PlugX infected a machine via a compromised USB device. Figure 4 shows the contents\r\nof the USB device. This device contained a directory named History and a Windows Shortcut (LNK) file. The\r\nHistory folder’s name and icon were disguised as the Windows History folder, and the LNK file uses an icon to\r\nappear as a removable disk.\r\nFigure 4. Fake History folder and malicious link file.\r\nThe fake History folder contains three files:\r\n3.exe\r\nA renamed Acrobat.exe file (a legitimate component of Adobe Acrobat)\r\nAcrobat.dll\r\nThe PlugX loader, renamed to appear to be a legitimate Adobe Acrobat file\r\nAcrobatDC.dat\r\nA malicious payload that the PlugX loader decrypts in memory\r\nOnce the victim clicks the removable disk LNK, it launches the 3.exe process. Then 3.exe loads the PlugX\r\ncomponent named Acrobat.dll via DLL side-loading.\r\nNext, the malware creates a directory at C:\\ProgramData\\AcroBat\\AcrobatAey and copies the three files to this\r\nlocation as Acrobat.exe, Acrobat.dll and AcrobatDC.dat, respectively.\r\nTo achieve persistence, this PlugX sample creates a scheduled task named InternetUpdateTask, which it sets to run\r\nevery 30 minutes.\r\nFigure 5 shows the initial process tree of the infection in Cortex XDR.\r\nhttps://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nPage 6 of 15\n\nFigure 5. Process tree of initial execution of PlugX.\r\nExamples of DLL Hijacking by Cybercrime Threat Actors\r\nUncovering AsyncRAT Phishing Campaign Targeting South American Organizations\r\nBy hunting for DLL side-loading alerts in Cortex XDR Analysis, we discovered a phishing campaign targeting\r\nvictims mainly in Colombia and Argentina, aiming to deliver AsyncRAT.\r\nAsyncRAT is open-source malware that is very popular among cybercriminals. It gives attackers a range of\r\ncapabilities such as executing commands, screen capturing and key logging.\r\nThe infection starts with phishing emails written in Spanish that contain descriptions of required legal actions, as\r\nshown in Figure 6.\r\nFigure 6. Text of a phishing mail to deliver AsyncRAT.\r\nThe emails also contain links to a Google Drive URL hosting a malicious ZIP archive.\r\nThese archive files contain an executable with the same name as the ZIP filename and a malicious DLL file named\r\nhttp_dll.dll.\r\nThe executable is actually a renamed legitimate component of the ESET HTTP Server service process, originally\r\nnamed EHttpSrv.exe. When the victim executes the renamed EHttpSrv.exe, it loads the malicious http_dll.dll file\r\nhttps://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nPage 7 of 15\n\nfrom the same directory via DLL side-loading. After the executable loads http_dll.dll, the DLL unpacks in\r\nmemory and loads the AsyncRAT malware.\r\nFigure 7 shows the infection chain as seen in Cortex XDR. The malicious ZIP archive is downloaded, extracted\r\nwith 7-Zip (7zG.exe) and the renamed EHttpSrv.exe is executed.\r\nFigure 7. AsyncRAT infection in Cortex XDR.\r\nFigure 8 shows the “Possible DLL Side-Loading” alert Cortex XDR raised for this chain of events.\r\nFigure 8. Possible DLL Side Loading alert in Cortex XDR.\r\nPhantom DLL Loading for CatB Ransomware\r\nCatB ransomware was first seen in December 2022. In at least one campaign since then, threat actors have abused\r\nthe Distributed Transaction Coordinator (MSDTC) service to achieve phantom DLL loading for CatB\r\nransomware.\r\nThe core of this CatB ransomware campaign consists of two components: a dropper DLL and a ransomware DLL.\r\nThe dropper DLL performs different anti-sandbox and anti-virtual machine (VM) checks to ensure the\r\nenvironment is safe to drop its ransomware payload.\r\nhttps://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nPage 8 of 15\n\nAfter the dropper DLL is satisfied the environment is clear, it writes a second DLL named oci.dll under the\r\nC:\\Windows\\System32 directory. Then, the dropper kills the MSDTC process by msdtc.exe as shown below in\r\nFigure 9.\r\nFigure 9. Execution of the dropper DLL in Cortex XDR.\r\nThis is done to implement phantom DLL loading. When msdtc.exe launches, it attempts to load a DLL named\r\noci.dll, which does not usually exist in the System32 folder. When msdtc.exe relaunches, it loads the malicious\r\noci.dll, which is the ransomware payload, as shown in Figure 10. In the image, the process msdtc.exe is paired\r\nwith the Image Load event in Cortex for the malicious oci.dll.\r\nFigure 10. Msdtc.exe loads the malicious oci.dll module shown in Cortex XDR.\r\nCortex XDR alerts on phantom DLL loading attempts, as shown in Figure 11.\r\nFigure 11. Phantom DLL Loading alert in Cortex XDR.\r\nAbuse of Microsoft DLLs Leads to Dridex\r\nhttps://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nPage 9 of 15\n\nThreat actors have implemented DLL side-loading for another well-known malware, the Dridex banking Trojan.\r\nThe initial infection vector for Dridex has most often been malicious emails or web traffic.\r\nWhen executed, the Dridex loader has used AtomBombing to inject code into the process space used by\r\nexplorer.exe. Next, the injected explorer.exe process writes Dridex DLLs as .tmp files and shell scripts with\r\nrandom names to the user’s TEMP directory. An example of these files being written to disk is shown in Figure\r\n12.\r\nFigure 12. Malicious files written to disk by explorer.exe shown in Cortex XDR.\r\nUp to three of the shell scripts can appear, and they create the persistent Dridex infection in three different\r\nlocations under random directory paths on the victim's host. The persistent infection uses DLL side-loading.\r\nThe shell scripts create these randomly-named directories under random directory paths, copy legitimate\r\nMicrosoft executables and rename the Dridex DLL .tmp files for the DLL side-loading. An example of two shell\r\nscripts are shown below in Figure 13.\r\nFigure 13. The shell scripts that copy Dridex.\r\nAfterward, the injected explorer.exe process creates persistence for the copied binaries using up to three methods:\r\n1. A registry update under HKCU\\SOFWARE\\Microsoft\\Windows\\CurrentVersion\\Run (example in Figure\r\n14)\r\n2. A Windows shortcut under the user's AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\r\nfolder\r\n3. A scheduled task\r\nhttps://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nPage 10 of 15\n\nFigure 14. Cortex XDR alert on Dridex creating a scheduled task for persistence.\r\nFigure 15 shows Cortex XDR alerting on the legitimate file DeviceEnroller.exe side-loading a malicious Dridex\r\nDLL.\r\nFigure 15. Alert for the legitimate DeviceEnroller.exe side-loads the malicious Dridex DLL.\r\nPrinciples for Efficient DLL Hijacking Detection\r\nPinpointing instances where an executable unexpectedly loads a malicious DLL with an identical name, but that is\r\notherwise different in its content, is a rather challenging task. This challenge significantly increases when\r\nattempting to detect these behavioral anomalies at scale.\r\nIn this section we provide several principles for effective detection of DLL hijacking, including its variations. The\r\nprinciples will focus on the malicious DLL, the vulnerable application and the loading event, where a vulnerable\r\napplication loads the malicious DLL.\r\nMalicious DLL\r\nSince the malicious DLL has the same name as a legitimate DLL, we look for abnormalities. For example:\r\nNo digital signature or a stolen signature\r\nAn unusual file size\r\nUnusually high or low entropy\r\nA rare file hash (compared to baseline) in the organization\r\nDLL compilation time significantly newer than the loading application\r\nA DLL placed in a path it doesn’t usually reside in\r\nhttps://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nPage 11 of 15\n\nVulnerable Application\r\nThe vulnerable application is usually a legitimate one to allow better disguise for the malicious DLL execution.\r\nGiven that, we proceed to seek out distinct traits:\r\nUsually a valid digital signature\r\nTrusted vendors (antivirus, browsers, VPNs, Microsoft applications) are a common target\r\nCommonly abused application (by hash or version)\r\nIn DLL side-loading\r\nIt will usually be an uncommon application in the organization\r\nIt will usually use an uncommon directory (e.g., C:\\Users\\\u003cUsername\u003e\\AppData, C:\\ProgramData)\r\nLoading Event\r\nWe can find different abnormalities also within the loading event. For example:\r\nThe first time the application loads a suspected DLL name and/or its hash\r\nThe application usually loads several DLLs, but now it loads only one\r\nMitigating the DLL Hijacking Attack Surface\r\nTo secure applications from possible DLL hijacking attacks, developers need to be cognizant of this attack\r\ntechnique and integrate diverse protective measures.\r\nMicrosoft has published a DLL security article covering several best practices to support developers in this effort,\r\nincluding the following:\r\nWherever possible, specify a fully qualified path when loading DLLs or triggering new process executions.\r\nGain more control of your application behavior by utilizing DLL redirection and manifests.\r\nDo not assume the operating system version when users execute an application. Develop your application\r\nto be handled as intended in all OSes.\r\nConclusion\r\nThis article covers DLL hijacking, providing the technical background needed to understand how threat actors\r\nweaponize it, along with an explanation of popular variations in its implementation.\r\nIn addition, we provide examples that demonstrate how various threat actors – both APT nation-state and\r\ncybercrime groups – rely on this technique to achieve stealth, persistence and privilege escalation in their\r\noperations.\r\nLastly, we discuss possible approaches for detecting and mitigating DLL hijacking in enterprise environments.\r\nProtections and Mitigations\r\nhttps://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nPage 12 of 15\n\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with the\r\nthreats described above:\r\nNext-Generation Firewall and Advanced WildFire accurately identifies known samples as malicious.\r\nAdvanced URL Filtering and DNS Security identify domains associated with this group as malicious.\r\nPrisma Cloud\r\nWhen paired with the WildFire integration, the Prisma Cloud Defender agent will identify malicious\r\nbinaries and make verdict determinations when analyzing executing processes.\r\nWhen paired with XSIAM, the Prisma Cloud Defender is enabled to block malicious processes\r\nfrom operating within the cloud environment.\r\nPrevents the execution of known malicious malware, and also prevents the execution of unknown\r\nmalware using Behavioral Threat Protection and machine learning based on the Local Analysis\r\nmodule.\r\nCortex XDR and XSIAM\r\nDetects known and novel DLL hijacking attacks, using the new generic Analytics DLL Hijacking\r\ntag.\r\nPrevents the execution of known malicious malware, and also prevents the execution of unknown\r\nmalware using Behavioral Threat Protection and machine learning based on the Local Analysis\r\nmodule.\r\nProtects against credential gathering tools and techniques using the new Credential Gathering\r\nProtection available from Cortex XDR 3.4.\r\nProtects from threat actors dropping and executing commands from web shells using Anti-Webshell\r\nProtection, newly released in Cortex XDR 3.4.\r\nProtects against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using\r\nthe Anti-Exploitation modules as well as Behavioral Threat Protection.\r\nCortex XDR Pro detects post exploit activity, including credential-based attacks, with behavioral\r\nanalytics.\r\nIf you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nThe following are SHA256 hashes of files from the examples used in this article.\r\nhttps://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nPage 13 of 15\n\nAsyncRAT ZIP\r\n26fc0efa8458326086266aae32ec31b512adddd1405f4dd4e1deed3f55f7b30d\r\n0709e3958f343346406c5a26029748f5d15101d3b7d8b8c1119f7642754ae64e\r\n5e50329c4bcb67a1220f157744e30203727f5a55e08081d1ae65c0db635ce59d\r\naf8baffceafeda320eab814847dee4df74020cc4b96a4907816335ad9b03c889\r\nc3ec461e8f3d386a8c49228a21767ff785840bc9ae53377f07ff52d0ccba1ccf\r\ne00918a579ced5783cefc27b1e1f9f0bc5b0f93a32d4a7170c7466b34cc360df\r\ne41f58d82394853fc49f2cccae07c06504cc1d1f3d49ba6bfd8f8762948b7c16\r\neadd74bbb7df21e45abc07c065876ba831978185c9e0845f19e86c151439020a\r\nAsyncRAT\r\n54fc9f4699d8fb59ce1635df5aaa2994b5d924d7b4d7626e1b5d9a406bef899d\r\n10fec9bf8d695ab14b1329cc6ca6d303d87617ffa76e3e4cc46f8f542e062d70\r\n69985edc2510803cfd862bdf87c59cc963be1bde5e08a0f10c0fd109c2134eab\r\n2ea71c9cbb949e96da71716d8a431952632b954c7fc5ba87e6f84684957f07ef\r\na8b7aaede89c587525906fa24f392b1ce0b4a73c6193eb6db95b586ae378649c\r\n27b8bfe997400a956cd7ec9a3f68e198fe690562d909185b7d41b1e9ce31c53f\r\ne4fdc02f196cedb98d2098b6993f6e28976abe9b5c8e9f9752dea493b9d1dcb9\r\nPlugX ZIP\r\n86a5ce23cf54d75d9c8d9402e233d00f8f84a31324ae8e52da6172e987d9a87b\r\ndca39474220575004159ecff70054bcf6239803fcf8d30f4e2e3907b5b97129c\r\nPlugX loader\r\n12c584a685d9dffbee767d7ad867d5f3793518fb7d96ab11e3636edcc490e1bd\r\nPlugX dat file\r\n95205b92d597489b33854e70d86f16d46201803a1a9cb5379c0d6b7c0784dbc7\r\nPlugX LNK file\r\n515fd058af3dfd2d33d49b7c89c11c6ef04c6251190536ca735a27e5388aa7e7\r\nDridex\r\nf101cc7885e44eee63713a71bba85baa7c135a9b1fe49480e05fc872f84993e7\r\n3f98a3e8ea69daf06e6da6e8d495bba42e575dbd0ba26f5e6035efb017545be1\r\n2f043922d42fbef8d1a08395bf0928d6181863c44b53bccc8c3806796db1c50e\r\n25085c4f707583052d7070ddb5473bb0684e588694279c7f85e4c17e36837074\r\n8a1c5858440a3eaa91f7442b7453127432f240637d22793dca6bfe5406776fbe\r\nfbc4421f8454139f4e2ebd808ebb224c0d773b0d62f69ef2270da386a4aab3e7\r\nhttps://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nPage 14 of 15\n\n0d4a7b43b5dbe8b8492c51a3f7595c8e188d558390ee1ab0586d1315b98619c9\r\n98ebb3e797e19e0e6aeffc6d03e7ad5ce76f941a175c3cacc3a7f0056d224f95\r\n0989a9be27bdc8827008f1837e62d88a077f8541a7b080e367b08facd9382962\r\n4a6ebd82b30063c73283b5364e34fc735ad05b5dd62bfa77f38617e9b2937444\r\nToneShell Persistence Component\r\n2f5cf595ac4d6a59be78a781c5ba126c2ff6d6e5956dc0a7602e6ba8e6665694\r\n0f2f0458d2f1ac4233883e96fe1f4cc6db1551cdcfdd49c43311429af03a1cd5\r\n011fe9974f07cb12ba30e69e7a84e5cb489ce14a81bced59a11031fc0c3681b7\r\n3fc4d023d96f339945683f6dc7d9e19a9a62b901bef6dc26c5918ce9508be273\r\n3a429b8457ad611b7c3528e4b41e8923dd2aee32ccd2cc5cf5ff83e69c1253c2\r\nf58d3d376c8e26b4ae3c2bbaa4ae76ca183f32823276e6432a945bcbc63266d9\r\n46c6ee9195f3bd30f51eb6611623aad1ba17f5e0cde0b5523ab51e0c5b641dbf\r\n86140e6770fbd0cc6988f025d52bb4f59c0d78213c75451b42c9f812fe1a9354\r\nToneShell Networking Component\r\na08e0d1839b86d0d56a52d07123719211a3c3d43a6aa05aa34531a72ed1207dc\r\n19d07dbc58b8e076cafd98c25cae5d7ac6f007db1c8ec0fae4ce6c7254b8f073\r\n8e801d3a36decc5e4ce6fd3e8e45b098966aef8cbe7535ed0a789575775a68b6\r\ndf4ba449f30f3ed31a344931dc77233b27e06623355ece23855ee4fe8a75c267\r\n345ef3fb73aa75538fdcf780d2136642755a9f20dbd22d93bee26e93fb6ab8fd\r\n3a5e69786ac1c458e27d38a966425abb6fb493a41110393a4878c811557a3b5b\r\nToneShell Functionality Component\r\n66b7983831cbb952ceeb1ffff608880f1805f1df0b062cef4c17b258b7f478ce\r\nf2a6a326fb8937bbc32868965f7475f4af0f42f3792e80156cc57108fc09c034\r\ndafa952aacf18beeb1ebf47620589639223a2e99fb2fa5ce2de1e7ef7a56caa0\r\n52cd066f498a66823107aed7eaa4635eee6b7914acded926864f1aae59571991\r\nCatB Loader\r\n3661ff2a050ad47fdc451aed18b88444646bb3eb6387b07f4e47d0306aac6642\r\nCatB Payload\r\nc8e0aa3b859ac505c2811eaa7e2004d6e3b351d004739e2a00a7a96f3d12430c\r\n83129ed45151a706dff8f4e7a3b0736557f7284769016c2fb00018d0d3932cfa\r\n35a273df61f4506cdb286ecc40415efaa5797379b16d44c240e3ca44714f945b\r\n9990388776daa57d2b06488f9e2209e35ef738fd0be1253be4c22a3ab7c3e1e2\r\nSource: https://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nhttps://unit42.paloaltonetworks.com/dll-hijacking-techniques/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://unit42.paloaltonetworks.com/dll-hijacking-techniques/" ], "report_names": [ "dll-hijacking-techniques" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434355, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a421ba538443db52674fe2a7997625ceb05e015c.pdf", "text": "https://archive.orkl.eu/a421ba538443db52674fe2a7997625ceb05e015c.txt", "img": "https://archive.orkl.eu/a421ba538443db52674fe2a7997625ceb05e015c.jpg" } }