Potential JLI.dll Side-Loading

Rule Info

Name
Potential JLI.dll Side-Loading
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects potential DLL side-loading of jli.dll. JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm, and others in order to load malicious payloads in context of legitimate Java processes.
Reference
https://securelist.com/apt41-in-africa/116986/
Date
2025-07-25 00:00:00
Modified
2025-10-06 00:00:00
Id
7a3b6d1f-4a2b-4f8c-9d7e-e9f8cbf21a35
Tags
attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=7a3b6d1f-4a2b-4f8c-9d7e-e9f8cbf21a35

Rule History

Author
Title
Date
Commit
phantinuss
Merge PR #5679 from @swachchhanda000 - chore: update evtx baseline to v0.8.2
2025-10-09
b242175fe
Swachchhanda Shrawan Poudel
Merge PR #5544 from @swachchhanda000 - Add `Potential JLI.dll Side-Loading`
2025-08-14
eeca352f5
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022