Potential JLI.dll Side-Loading

Original Source: [Sigma source]
Title: Potential JLI.dll Side-Loading
Status: experimental
Description:Detects potential DLL side-loading of jli.dll. JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm, and others in order to load malicious payloads in context of legitimate Java processes.
References:
  -https://securelist.com/apt41-in-africa/116986/
   -https://lab52.io/blog/snake-keylogger-in-geopolitical-affairs-abuse-of-trusted-java-utilities-in-cybercrime-operations/
   -https://hijacklibs.net/entries/3rd_party/oracle/jli.html
   -https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting
 Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-07-25
modified:None
Tags:
  • -'attack.defense-evasion'
  • -'attack.persistence'
  • -'attack.privilege-escalation'
  • -'attack.t1574.001'
Logsource:
  • category: image_load
  • product: windows
Detection:
  selection:
    ImageLoaded|endswith: '\jli.dll'
  filter_main_legitimate_install_paths:
    ImageLoaded|startswith:
      -'C:\Program Files\'
      -'C:\Program Files (x86)\'

    Description: 'OpenJDK Platform binary'
    OriginalFileName: 'jli.dll'
    Product|startswith: 'OpenJDK Platform'
    Signed: 'true'
  condition:selection and not 1 of filter_main_*
Falsepositives:
  -Unknown
Level: high

© 2024 DetectionCode Website. All Rights Reserved.