albertzsigovits/dll-sideloading.txt

## dll-sideloading.txt
Case	EXE	DLL	Date	Family	Type	Country

PoisonIvy RAT hijacking Samsung RunHelp.exe	RunHelp.exe	ssMUIDLL.dll	2019.01.01	PoisonIvyRAT	APT	-
Remcos hijacking OpenVPN libcrypto.dll	OpenVPNGui.exe	libcrypto.dll	2021.03.01	Netwire/Remcos RAT	APT	-
REvil hijacking MsMpEng.exe/ WinDefender DLL	MsMpEng.exe	mpsvc.dll	2021.03.31	REvil group	Cybercrime	-
NGOs are targeted by APT10 with VLC media player side-loading	vlc.exe	-	2022.02.01	Cicada group	APT10	CN
Lockbit ransomware dropping Cobalt-strike w/ DLL-sideloading	VMwareXferlogs.exe	glib-2.0.dll	2022.04.27	Lockbit group	Cybercrime	-
PlugX Hijacking Bitdefender AV DLLs	bdsrv.exe	log.dll	2022.05.02	PlugX/ShadowPad RAT	APT	CN
Mustang Panda targets EU entities with phishing	Acrobat.exe	Acrobat.dll	2022.05.05	PlugX/ShadowPad RAT	APT	CN
Qakbot abusing calc.exe for Sideloading	calc.exe	WindowsCodecs.dll	2022.07.27	Qakbot trojan	Cybercrime	-
Qakbot abusing Teams.exe for Sideloading	Teams.exe	iphlpapi.dll	2022.07.27	Qakbot trojan	Cybercrime	-
Qakbot abusing OneDrive.exe for Sideloading	OneDrive.exe	iphlpapi.dll	2022.07.27	Qakbot trojan	Cybercrime	-
Espionage activity on Asian governments with DLL side-loading	imjputyc.exe	imjputyc.dll	2022.09.13	PlugX/QuasarRAT	APT	-
PlugX RAT DLL side-loading	nv.exe	nvsmartmax.dll	2022.09.22	PlugX	APT	CN
PlugX RAT DLL side-loading	Gadget.exe	Sidebar.dll	2022.09.22	PlugX	APT	CN
PlugX RAT DLL side-loading	fsguidll.exe	fslapi.dll	2022.09.22	PlugX	APT	CN
PlugX RAT DLL side-loading	mcinsupd.exe	mytilus3.dll	2022.09.22	PlugX	APT	CN
PlugX RAT DLL side-loading	aro.exe	aross.dll	2022.09.22	PlugX	APT	CN
US Defense Base breached by APT using DLL-Sideloading	vf_host.exe	vftrace.dll	2022.09.28	HyperBro malware	APT	-
Lazarus abusing wsmprovhost.exe with mi.dll	wsmprovhost.exe	mi.dll	2022.10.12	Lazarus Group	APT	NK
Github PoC on OneDriveUpdater.exe	OneDriveUpdater.exe	version.dll	2022.10.13	Github PoC	-	-
Notepad++ Gup.exe Cyberreason PoC	Gup.exe	libcurl.dll	2022.10.26	Research PoC	-	-
Mustang Panda PlugX hijacking Adobe Reader AAM update.exe/hex.dll	AAMupdate.exe	hex.dll	2022.10.26	Mustang Panda group	APT	CN
Babuk ransomware to DLL-sideload NTSD	NTSD.exe	dbgeng.dll	2022.11.23	Babuk ransomware	Cybercrime	-
Babuk ransomware to DLL-sideload Winword	Winword.exe	wwlib.dll	2022.11.23	Babuk ransomware	Cybercrime	-
Ransomware infection hides Cobalt payload with DLL-sideloading	msdtc.exe	libvlc.dll	2022.12.01	Ransomware groups	Cybercrime	-
https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia	Removable Drive.exe	u2ec.dll	2022.12.08	MISTCLOACK / UNC4191	APT	CN
https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia	USB Drive.exe	u2ec.dll	2022.12.08	MISTCLOACK / UNC4191	APT	CN
https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia	DateCheck.exe/RzCefRenderProcess.exe	rzlog4cpp_logger.dll	2022.12.08	BLUEHAZE / UNC4191	APT	CN
Abuse of WerFault.exe with DLL Side-load faultrep.dll	WerFault.exe	faultrep.dll	2023.01.05	PupyRAT	APT	CN
Trojanized Whatsapp,Firefox deploys FatalRAT with side-loading	sccs.exe	libpng13.dll	2023.02.16	FatalRAT	-	-
Tencent Installer used for DLL side-loading for FatalRAT	ssu.exe	dr.dll	2023.02.16	FatalRAT	-	-
Iron Tiger's SysUpdate deploys via DLL-sideloading	rc.exe	rc.dll	2023.03.01	SysUpdate APT malware	APT	CN
Shellcode loader dropped via VLC app with DLL side-loading	vlc.exe	libvlc.dll	2023.03.02	SilkLoader	-	-
Rorschach ransomware deployed via Palo Alto Networks' Cortex XDR Dump Service Tool	cy.exe	winutils.dll	2023.04.04	Rorschach Loader and Injector	Cybercrime	-
https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/	ciscocollabhost.exe	ciscosparklauncher.dll	2022.11.03	-	-	-
https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/	googleupdate.exe (VLC Media Player)	libvlc.dll	2022.11.03	-	-	-
https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/	Netsky.exe (Razer Chromium Render Process)	RzLog4CPP_Logger.dll	2022.11.03	-	-	-
https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/	disk_watch.exe	u2ec.dll	2022.11.03	-	-	-
https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/	smstore.exe and msvcrt.dll	SYSMSRV.dll	2022.11.03	-	-	-
https://www.group-ib.com/blog/dark-pink-apt/	-	-	2023.01.11	Dark Pink APT	APT	APAC
https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/	Logagent.exe (Windows Media Player Troubleshooting)	wsock32.dll	2022.12.06	DEV-0139	-	-
https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/	tplink.exe	DUser.dll (wsock32.dll/HijackingLib.dll)	2022.12.06	DEV-0139	-	-
https://blog.morphisec.com/sys01stealer-facebook-info-stealer	WDSyncService.exe	WDSync.dll	2023.03.07	Sys01 Stealer	Cybercrime	-
https://blog.morphisec.com/sys01stealer-facebook-info-stealer	ElevatedInstaller.exe (Garmin)	Garmin.Cartography.MapUpdate.???.dll	2023.03.07	Sys01 Stealer	Cybercrime	-
https://labs.vipre.com/qbot-packed-in-iso-with-dll-side-loading/	calc.exe	WindowsCodecs.dll	2022.08.04	Qakbot	Cybercrime	-
https://community.netwitness.com/t5/netwitness-community-blog/examining-apt27-and-the-hyperbro-rat/ba-p/693490	vf_host.exe (CyberArk ViewFinity)	vftrace.dll	2022.12.10	HyperBro RAT	APT27	CN
https://www.zscaler.com/blogs/security-research/album-stealer-targets-facebook-adult-only-content-seekers	Album.exe (TresoritPdfViewer)	PdfiumControl.dll	2023.01.20	AlbumStealer	Cybercrime	-
https://industrialcyber.co/threat-landscape/south-asian-government-entities-targeted-by-dark-pink-apt-group-using-multiple-kamikakabot-malware/	WinWord.exe	msvcr100.dll	2023.03.14	Dark Pink APT / KamiKakaBot	APT	ASEAN
https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/	CameraSettingsUIHost.exe	dui70.dll / DUser.dll (HijackingLib.dll)	2022.12.01	AppleJeus / Lazarus Group	APT	NK
https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/	Logagent.exe	wsock32.dll	2022.12.01	AppleJeus / Lazarus Group	APT	NK
https://www.cybereason.com/blog/oracle-mimikatz-dll-hijacking	unpack200.exe	msvcrt100.dll	2018.06.24	Cybercrime	-	-
https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive	?	wlbsctrl.dll	2019.06.25	Operation CuckooBees / Winnti	APT	APT
https://www.cybereason.com/blog/research/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers	Samsung Tool	ssMUIDLL.dll	2022.05.04	Operation Soft Cell	APT	APT
	Case EXE DLL Date Family Type Country

	PoisonIvy RAT hijacking Samsung RunHelp.exe RunHelp.exe ssMUIDLL.dll 2019.01.01 PoisonIvyRAT APT -
	Remcos hijacking OpenVPN libcrypto.dll OpenVPNGui.exe libcrypto.dll 2021.03.01 Netwire/Remcos RAT APT -
	REvil hijacking MsMpEng.exe/ WinDefender DLL MsMpEng.exe mpsvc.dll 2021.03.31 REvil group Cybercrime -
	NGOs are targeted by APT10 with VLC media player side-loading vlc.exe - 2022.02.01 Cicada group APT10 CN
	Lockbit ransomware dropping Cobalt-strike w/ DLL-sideloading VMwareXferlogs.exe glib-2.0.dll 2022.04.27 Lockbit group Cybercrime -
	PlugX Hijacking Bitdefender AV DLLs bdsrv.exe log.dll 2022.05.02 PlugX/ShadowPad RAT APT CN
	Mustang Panda targets EU entities with phishing Acrobat.exe Acrobat.dll 2022.05.05 PlugX/ShadowPad RAT APT CN
	Qakbot abusing calc.exe for Sideloading calc.exe WindowsCodecs.dll 2022.07.27 Qakbot trojan Cybercrime -
	Qakbot abusing Teams.exe for Sideloading Teams.exe iphlpapi.dll 2022.07.27 Qakbot trojan Cybercrime -
	Qakbot abusing OneDrive.exe for Sideloading OneDrive.exe iphlpapi.dll 2022.07.27 Qakbot trojan Cybercrime -
	Espionage activity on Asian governments with DLL side-loading imjputyc.exe imjputyc.dll 2022.09.13 PlugX/QuasarRAT APT -
	PlugX RAT DLL side-loading nv.exe nvsmartmax.dll 2022.09.22 PlugX APT CN
	PlugX RAT DLL side-loading Gadget.exe Sidebar.dll 2022.09.22 PlugX APT CN
	PlugX RAT DLL side-loading fsguidll.exe fslapi.dll 2022.09.22 PlugX APT CN
	PlugX RAT DLL side-loading mcinsupd.exe mytilus3.dll 2022.09.22 PlugX APT CN
	PlugX RAT DLL side-loading aro.exe aross.dll 2022.09.22 PlugX APT CN
	US Defense Base breached by APT using DLL-Sideloading vf_host.exe vftrace.dll 2022.09.28 HyperBro malware APT -
	Lazarus abusing wsmprovhost.exe with mi.dll wsmprovhost.exe mi.dll 2022.10.12 Lazarus Group APT NK
	Github PoC on OneDriveUpdater.exe OneDriveUpdater.exe version.dll 2022.10.13 Github PoC - -
	Notepad++ Gup.exe Cyberreason PoC Gup.exe libcurl.dll 2022.10.26 Research PoC - -
	Mustang Panda PlugX hijacking Adobe Reader AAM update.exe/hex.dll AAMupdate.exe hex.dll 2022.10.26 Mustang Panda group APT CN
	Babuk ransomware to DLL-sideload NTSD NTSD.exe dbgeng.dll 2022.11.23 Babuk ransomware Cybercrime -
	Babuk ransomware to DLL-sideload Winword Winword.exe wwlib.dll 2022.11.23 Babuk ransomware Cybercrime -
	Ransomware infection hides Cobalt payload with DLL-sideloading msdtc.exe libvlc.dll 2022.12.01 Ransomware groups Cybercrime -
	https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia Removable Drive.exe u2ec.dll 2022.12.08 MISTCLOACK / UNC4191 APT CN
	https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia USB Drive.exe u2ec.dll 2022.12.08 MISTCLOACK / UNC4191 APT CN
	https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia DateCheck.exe/RzCefRenderProcess.exe rzlog4cpp_logger.dll 2022.12.08 BLUEHAZE / UNC4191 APT CN
	Abuse of WerFault.exe with DLL Side-load faultrep.dll WerFault.exe faultrep.dll 2023.01.05 PupyRAT APT CN
	Trojanized Whatsapp,Firefox deploys FatalRAT with side-loading sccs.exe libpng13.dll 2023.02.16 FatalRAT - -
	Tencent Installer used for DLL side-loading for FatalRAT ssu.exe dr.dll 2023.02.16 FatalRAT - -
	Iron Tiger's SysUpdate deploys via DLL-sideloading rc.exe rc.dll 2023.03.01 SysUpdate APT malware APT CN
	Shellcode loader dropped via VLC app with DLL side-loading vlc.exe libvlc.dll 2023.03.02 SilkLoader - -
	Rorschach ransomware deployed via Palo Alto Networks' Cortex XDR Dump Service Tool cy.exe winutils.dll 2023.04.04 Rorschach Loader and Injector Cybercrime -
	https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/ ciscocollabhost.exe ciscosparklauncher.dll 2022.11.03 - - -
	https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/ googleupdate.exe (VLC Media Player) libvlc.dll 2022.11.03 - - -
	https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/ Netsky.exe (Razer Chromium Render Process) RzLog4CPP_Logger.dll 2022.11.03 - - -
	https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/ disk_watch.exe u2ec.dll 2022.11.03 - - -
	https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/ smstore.exe and msvcrt.dll SYSMSRV.dll 2022.11.03 - - -
	https://www.group-ib.com/blog/dark-pink-apt/ - - 2023.01.11 Dark Pink APT APT APAC
	https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/ Logagent.exe (Windows Media Player Troubleshooting) wsock32.dll 2022.12.06 DEV-0139 - -
	https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/ tplink.exe DUser.dll (wsock32.dll/HijackingLib.dll) 2022.12.06 DEV-0139 - -
	https://blog.morphisec.com/sys01stealer-facebook-info-stealer WDSyncService.exe WDSync.dll 2023.03.07 Sys01 Stealer Cybercrime -
	https://blog.morphisec.com/sys01stealer-facebook-info-stealer ElevatedInstaller.exe (Garmin) Garmin.Cartography.MapUpdate.???.dll 2023.03.07 Sys01 Stealer Cybercrime -
	https://labs.vipre.com/qbot-packed-in-iso-with-dll-side-loading/ calc.exe WindowsCodecs.dll 2022.08.04 Qakbot Cybercrime -
	https://community.netwitness.com/t5/netwitness-community-blog/examining-apt27-and-the-hyperbro-rat/ba-p/693490 vf_host.exe (CyberArk ViewFinity) vftrace.dll 2022.12.10 HyperBro RAT APT27 CN
	https://www.zscaler.com/blogs/security-research/album-stealer-targets-facebook-adult-only-content-seekers Album.exe (TresoritPdfViewer) PdfiumControl.dll 2023.01.20 AlbumStealer Cybercrime -
	https://industrialcyber.co/threat-landscape/south-asian-government-entities-targeted-by-dark-pink-apt-group-using-multiple-kamikakabot-malware/ WinWord.exe msvcr100.dll 2023.03.14 Dark Pink APT / KamiKakaBot APT ASEAN
	https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/ CameraSettingsUIHost.exe dui70.dll / DUser.dll (HijackingLib.dll) 2022.12.01 AppleJeus / Lazarus Group APT NK
	https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/ Logagent.exe wsock32.dll 2022.12.01 AppleJeus / Lazarus Group APT NK
	https://www.cybereason.com/blog/oracle-mimikatz-dll-hijacking unpack200.exe msvcrt100.dll 2018.06.24 Cybercrime - -
	https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive ? wlbsctrl.dll 2019.06.25 Operation CuckooBees / Winnti APT APT
	https://www.cybereason.com/blog/research/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers Samsung Tool ssMUIDLL.dll 2022.05.04 Operation Soft Cell APT APT