APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.[2]
APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.[3][4]
APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).[5][6][7]
APT41 used legitimate executables to perform DLL side-loading of their malware.[8]
BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.[9][10]
DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable, ssonsvr.exe. The Citrix executable was dropped along with BBSRAT by the dropper.[11]
BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.[12]
BRONZE BUTLER has used legitimate applications to side-load malicious DLLs.[13]
Chimera has used side loading to place malicious DLLs in memory.[14]
Denis exploits a security vulnerability to load a fake DLL and execute its code.[5]
Ecipekac can abuse the legitimate application policytool.exe to load a malicious DLL.[15]
Egregor has used DLL side-loading to execute its payload.[16]
FinFisher uses DLL side-loading to load malicious programs.[17][18]
GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.[19]
Goopy has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google.[6]
Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the OINFO12.OCX dynamic link library.[21]
HTTPBrowser has used DLL side-loading.[22]
HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.[23]
Javali can use DLL side-loading to load malicious DLLs into legitimate executables.[24]
Kerrdown can use DLL side-loading to load malicious DLLs.[25]
LookBack side loads its communications module as a DLL into the libcurl.dll loader.[26]
menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.[27][28][29]
Metamorfo has side-loaded its malicious DLL file.[30][31][32]
Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.[33][34][35]
Naikon has used DLL side-loading to load malicious DLL's into legitimate executables.[36]
A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.[38]
PlugX has used DLL side-loading to evade anti-virus.[4][22][39][27][40]
RainyDay can use side-loading to run malicious executables.[37]
Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.[41]
Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.[42]
During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.[43]
Threat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants in which the DLL acts as a stub loader that loads and executes the shell code.[22][44][45][23]
Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.[46][47]
Waterbear has used DLL side loading to import and load a malicious DLL loader.[12]
Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.[48][49]
ZeroT has used DLL side-loading to load malicious payloads.[50][51]