Potential JLI.dll Side-Loading

 1title: Potential JLI.dll Side-Loading
 2id: 7a3b6d1f-4a2b-4f8c-9d7e-e9f8cbf21a35
 3status: experimental
 4description: |
 5    Detects potential DLL side-loading of jli.dll.
 6    JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm,
 7    and others in order to load malicious payloads in context of legitimate Java processes.    
 8references:
 9    - https://securelist.com/apt41-in-africa/116986/
10    - https://lab52.io/blog/snake-keylogger-in-geopolitical-affairs-abuse-of-trusted-java-utilities-in-cybercrime-operations/
11    - https://hijacklibs.net/entries/3rd_party/oracle/jli.html
12    - https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2025-07-25
15modified: 2025-10-06
16tags:
17    - attack.defense-evasion
18    - attack.persistence
19    - attack.privilege-escalation
20    - attack.t1574.001
21logsource:
22    category: image_load
23    product: windows
24detection:
25    selection:
26        ImageLoaded|endswith: '\jli.dll'
27    filter_main_legitimate_install_paths:
28        ImageLoaded|startswith:
29            # Keeping the paths generic as jli.dll was found inside various directories of installed software
30            - 'C:\Program Files\'
31            - 'C:\Program Files (x86)\'
32        Description: 'OpenJDK Platform binary'
33        OriginalFileName: 'jli.dll'
34        Product|startswith: 'OpenJDK Platform'
35        Signed: 'true'
36    filter_optional_eclipse:
37        ImageLoaded|startswith: 'C:\eclipse\plugins\'
38    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
39falsepositives:
40    - Unknown
41level: high

References

• The SOC files: Rumble in the jungle or APT41’s new target in Africa

  

  Kaspersky experts analyze an incident that saw APT41 launch a targeted attack on government IT services in Africa.

  
  Read More

• Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations

  

  The S2 Group’s intelligence team has identified through adversary tracking a new phishing campaign by Snake Keylogger, a Russian origin stealer programmed in .NET, targeting various types of victim...

  
  Read More

• jli.dll on HijackLibs

  

  Check out the entry for jli.dll on HijackLibs - it is loaded by applications vulnerable to DLL Hijacking!

  
  Read More

• Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting  | Proofpoint US

  

  Key findings  Between March and June 2025, Proofpoint Threat Research observed three Chinese state-sponsored threat actors conduct targeted phishing campaigns against the Taiwanese

  
  Read More

Related rules

• Potential Antivirus Software DLL Sideloading
• Potential DLL Sideloading Of DBGCORE.DLL
• Potential DLL Sideloading Of DBGHELP.DLL
• Potential System DLL Sideloading From Non System Locations
• Creation Of Non-Existent System DLL