During the 2015 Ukraine Electric Power Attack, Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe. [8]
ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence.[9]
APT19 configured its payload to inject into the rundll32.exe.[10]
APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe "C:\Windows\twain_64.dll". APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.[11][9][12][13][14][15]
APT32 malware has used rundll32.exe to execute an initial infection process.[17]
APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.[18][19]
Aquatic Panda used rundll32.exe to proxy execution of a malicious DLL file identified as a keylogging binary.[21]
Attor's installer plugin can schedule rundll32.exe to load the dispatcher.[22]
Backdoor.Oldrea can use rundll32 for execution on compromised hosts.[23]
Bad Rabbit has used rundll32 to launch a malicious DLL as C:Windowsinfpub.dat.[24]
Bisonal has used rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\"vert" = "rundll32.exe c:\windows\temp\pvcu.dll , Qszdez".[25]
BLINDINGCAN has used Rundll32 to load a malicious DLL.[26]
Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe.[27]
Briba uses rundll32 within Registry Run Keys / Startup Folder entries to execute malicious DLLs.[29]
Bumblebee has used rundll32 for execution of the loader component.[30][31]
During C0015, the threat actors loaded DLLs via rundll32 using the svchost process.[32]
During C0018, the threat actors used rundll32 to run Mimikatz.[33]
During C0021, the threat actors used rundll32.exe to execute the Cobalt Strike Beacon loader DLL.[34]
Carbanak installs VNC server software that executes through rundll32.[35]
Cobalt Strike can use rundll32.exe to load DLL from the command line.[36][32][37]
CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.[39]
CORESHELL is installed via execution of rundll32 with an export named "init" or "InitW."[40]
The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component.[41]
Daggerfly proxied execution of malicious DLLs through a renamed rundll32.exe binary.[42]
DDKONG uses Rundll32 to ensure only a single instance of itself is running at once.[43]
DEADEYE can use rundll32.exe for execution of living off the land binaries (lolbin) such as SHELL32.DLL.[44]
After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.[46]
Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.[47]
EnvyScout has the ability to proxy execution of malicious files with Rundll32.[28]
EVILNUM can execute commands and scripts through rundll32.[48]
FELIXROOT uses Rundll32 for executing the dropper program.[50][51]
FIN7 has used rundll32.exe to execute malware on a compromised network.[52]
Rundll32.exe is used as a way of executing Flame at the command-line.[53]
FlawedAmmyy has used rundll32 for execution.[54]
FunnyDream can use rundll32 for execution of its components.[55]
Gamaredon Group malware has used rundll32 to launch additional malicious components.[56]
GreyEnergy uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\SYSTEM).[51]
HermeticWizard has the ability to create a new process using rundll32.[59]
Heyoka Backdoor can use rundll32.exe to gain execution.[60]
IcedID has used rundll32.exe to execute the IcedID loader.[61][62]
InvisiMole has used rundll32.exe for execution.[63]
Kapeka is a Windows DLL file executed via ordinal by rundll32.exe.[66][67]
Kimsuky has used rundll32.exe to execute malicious scripts and malware on a victim's network.[68]
KONNI has used Rundll32 to execute its loader for privilege escalation purposes.[70][71]
Kwampirs uses rundll32.exe in a Registry value added to establish persistence.[72]
Latrodectus can use rundll32.exe to execute downloaded DLLs.[73][74]
Lazarus Group has used rundll32 to execute malicious payloads on a compromised host.[75]
LazyScripter has used rundll32.exe to execute Koadic stagers.[76]
Magic Hound has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory.[77]
Matryoshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.[78]
MegaCortex has used rundll32.exe to load a DLL for file encryption.[79]
Mispadu uses RunDLL32 for execution via its injector DLL.[80]
Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.[81]
MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.[82]
NativeZone has used rundll32 to execute a malicious DLL.[83]
Ninja loader components can be executed through rundll32.exe.[84]
NotPetya uses rundll32.exe to install itself on remote systems when accessed via PsExec or wmic.[86]
During Operation Dream Job, Lazarus Group executed malware with C:\\windows\system32\rundll32.exe "C:\ProgramData\ThumbNail\thumbnail.db", CtrlPanel S-6-81-3811-75432205-060098-6872 0 0 905.[87][88][89]
During Operation Spalax, the threat actors used rundll32.exe to execute malicious installers.[90]
PolyglotDuke can be executed using rundll32.exe.[49]
Pteranodon executes functions using rundll32.exe.[93]
PUNCHBUGGY can load a DLL using Rundll32.[94]
QakBot has used Rundll32.exe to drop malicious DLLs including Brute Ratel C4 and to enable C2 communication.[95][96][97][98][37]
Ragnar Locker has used rundll32.exe to execute components of VirtualBox.[99]
Raspberry Robin uses rundll32 execution without any command line parameters to contact command and control infrastructure, such as IP addresses associated with Tor nodes.[100]
RedCurl has used rundll32.exe to execute malicious files.[101][102][103]
Sakula calls cmd.exe to run various DLL files via rundll32.[106]
Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.[107]
ServHelper contains a module for downloading and executing DLLs that leverages rundll32.exe.[108]
During the SolarWinds Compromise, APT29 used Rundll32.exe to execute payloads.[110][111]
Squirrelwaffle has been executed using rundll32.exe.[112][113]
Storm-0501 has launched Cobalt Strike Beacon files with rundll32.exe.[114]
StrelaStealer DLL payloads have been executed via rundll32.exe.[116][117]
TA505 has leveraged rundll32.exe to execute malicious DLLs.[119][108]
Troll Stealer is dropped as a DLL file and executed via rundll32.exe by its installer.[121][122]
UNC3886 has used rundll32.exe to execute MiniDump for dumping LSASS process memory.[123]
USBferry can execute rundll32.exe in memory to avoid detection.[124]
Water Curupira Pikabot Distribution utilizes rundll32.exe to execute the final Pikabot payload, using the named exports Crash or Limit depending on the variant.[125]
The Winnti for Windows installer loads a DLL using rundll32.[126][127]
Wizard Spider has utilized rundll32.exe to deploy ransomware commands with the use of WebDAV.[128]
ZxShell has used rundll32.exe to execute other DLLs and named pipes.[129]