#T1574.002 DLL Side-Loading

Technique

  • Tactics: Persistence, Privilege Escalation, Defense Evasion
  • Description:

    Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

    Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)

  • First Seen: APT Threat Landscape in Japan 2020 • 2021-05-21
MITRE ATT&CK

Tagged Reports

2026-06-17
Ahnlab
#Xctdoor #LNK #T1053.005 #T1059.001 #T1059.003 #T1059.005 #T1105 #T1204.002 #T1547.001 #T1574.002
#Lazarus #Medusa #Ransomware #T1574.002 #T1562.001 #T1059.001 #T1490 #T1555 #T1486 #T1547.014 #T1129 #T1036.005 #T1622 #T1135 #T1027.002 #T1546.015 #T1489 #T1082
#Lazarus #Medusa #Ransomware #T1574.002 #T1562.001 #T1059.001 #T1490 #T1555 #T1486 #T1547.014 #T1129 #T1036.005 #T1622 #T1135 #T1027.002 #T1546.015 #T1489 #T1082
2025-10-23
Trellix
#Andariel #Kimsuky #Lazarus #Trend #T1574.002 #T1204.004 #T1564.006 #T1027.006
2025-08-25
Bloo
#GolangGhost #Lazarus #T1055.012 #T1190 #T1562.001 #T1036.007 #T1123 #T1059.005 #T1106 #T1036.003 #T1622 #T1059.010 #T1027.002 #T1132.002 #T1136.001 #T1057 #T1548.002 #T1059.003 #T1134.004 #T1566.001 #T1518.001 #T1614.001 #T1574.007 #T1573.001 #T1547.001 #T1140 #T1027.009 #T1005 #T1070.004 #T1027.007 #T1098.007 #T1041 #T1564.001 #T1010 #T1113 #T1219 #T1071.004 #T1021.002 #T1204.002 #T1055.002 #T1071.001 #T1574.002 #T1115 #T1083 #T1059.001 #T1555.003 #T1056.001 #T1566.002 #T1497.001 #T1217 #T1021.006
2025-08-13
Cyfirma
#Lazarus #T1090.001 #T1134.002 #T1562.001 #T1543.003 #T1059.003 #T1553.002 #T1614.001 #T1074.001 #T1485 #T1591 #T1218.011 #T1620 #T1078 #T1587.001 #T1027.007 #T1010 #T1571 #T1090.002 #T1218.010 #T1542.003 #T1583.001 #T1033 #T1497.001 #T1560.002 #T1203 #T1036 #T1012 #T1016 #T1059.005 #T1106 #T1027 #T1566.003 #T1027.002 #T1562.004 #T1529 #T1049 #T1140 #T1585.001 #T1005 #T1053.005 #T1564.001 #T1608.001 #T1105 #T1046 #T1491.001 #T1055.001 #T1070 #T1589.002 #T1036.005 #T1110 #T1547.009 #T1489 #T1110.003 #T1534 #T1047 #T1573 #T1588.004 #T1104 #T1036.003 #T1591.004 #T1001.003 #T1057 #T1082 #T1561.002 #T1566.001 #T1574.013 #T1561.001 #T1608.002 #T1585.002 #T1218 #T1588.002 #T1036.004 #T1204.001 #T1041 #T1560 #T1202 #T1071.001 #T1218.005 #T1059.001 #T1593.001 #T1189 #T1124 #T1056.001 #T1070.006 #T1008 #T1102.002 #T1048.003 #T1583.006 #T1221 #T1557.001 #T1098 #T1547.001 #T1567.002 #T1584.004 #T1087.002 #T1070.004 #T1560.003 #T1070.003 #T1583.004 #T1132.001 #T1588.003 #T1021.002 #T1204.002 #T1220 #T1574.002 #T1083 #T1566.002 #T1021.001 #T1021.004 #T1584.001
2025-04-29
S2W
#Lazarus #T1137.001 #T1070 #T1574.002 #T1221 #T1260 #T1070.006
2025-04-24
Kaspersky
#Innorix #LPEClient #Lazarus #SIGNBT #SyncHole #ThreatNeedle #AGAMEMNON #CrossEX #T1190 #T1027.013 #T1016 #T1570 #T1543.003 #T1583.003 #T1057 #T1082 #T1573.001 #T1218.011 #T1087.001 #T1620 #T1135 #T1049 #T1140 #T1087.002 #T1027.009 #T1608.004 #T1105 #T1071.001 #T1574.001 #T1574.002 #T1547.005 #T1083 #T1583.001 #T1007 #T1564.004 #T1573.002 #T1189 #T1584.001 #T1569.002
2025-02-03
System Weakness
#3CXDesktopApp #T1574.002 #T1497
2024-07-19
Cyfirma
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1562.001 #T1190 #T1068 #T1543.003 #T1056 #T1595.002 #T1059.003 #T1566 #T1485 #T1218.011 #T1069.002 #T1010 #T1571 #T1102.001 #T1583.001 #T1555.003 #T1033 #T1497.001 #T1203 #T1036 #T1012 #T1027 #T1583.003 #T1071 #T1562.004 #T1614 #T1027.005 #T1548 #T1552 #T1140 #T1005 #T1053.005 #T1564.001 #T1555 #T1129 #T1070.001 #T1046 #T1070 #T1095 #T1569.002 #T1562 #T1573 #T1047 #T1552.001 #T1057 #T1082 #T1518.001 #T1176 #T1090 #T1518 #T1539 #T1041 #T1564 #T1560 #T1202 #T1071.001 #T1547 #T1112 #T1497 #T1059.001 #T1124 #T1056.001 #T1222 #T1070.006 #T1059 #T1564.003 #T1222.001 #T1056.004 #T1547.001 #T1584 #T1087.002 #T1070.004 #T1505.003 #T1113 #T1608.005 #T1204.002 #T1087 #T1574.002 #T1115 #T1083 #T1490 #T1053 #T1486 #T1566.002 #T1133 #T1021.004 #T1003
2024-01-23
Ahnlab
#LazarLoader #Lazarus #T1574.002
2024-01-17
Ahnlab
#LazarLoader #Lazarus #T1574.002
2023-10-27
Kaspersky
#LPEClient #SIGNBT #T1574.002 #T1027.001 #T1620 #T1203 #T1083 #T1041 #T1113 #T1189 #T1003.001 #T1573.001 #T1547.012 #T1027.002 #T1132.002 #T1071.001 #T1140 #T1057 #T1082
2023-05-23
Ahnlab
#LazarLoader #IIS #Lazarus #T1574.002
2023-05-17
Ahnlab
#LazarLoader #IIS #Lazarus #T1574.002
« Back