Potential JLI.dll Side-Loading

 1title: Potential JLI.dll Side-Loading
 2id: 7a3b6d1f-4a2b-4f8c-9d7e-e9f8cbf21a35
 3status: experimental
 4description: |
 5    Detects potential DLL side-loading of jli.dll.
 6    JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm,
 7    and others in order to load malicious payloads in context of legitimate Java processes.    
 8references:
 9    - https://securelist.com/apt41-in-africa/116986/
10    - https://lab52.io/blog/snake-keylogger-in-geopolitical-affairs-abuse-of-trusted-java-utilities-in-cybercrime-operations/
11    - https://hijacklibs.net/entries/3rd_party/oracle/jli.html
12    - https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2025-07-25
15tags:
16    - attack.defense-evasion
17    - attack.persistence
18    - attack.privilege-escalation
19    - attack.t1574.001
20logsource:
21    category: image_load
22    product: windows
23detection:
24    selection:
25        ImageLoaded|endswith: '\jli.dll'
26    filter_main_legitimate_install_paths:
27        ImageLoaded|startswith:
28            # Keeping the paths generic as jli.dll was found inside various directories of installed software
29            - 'C:\Program Files\'
30            - 'C:\Program Files (x86)\'
31        Description: 'OpenJDK Platform binary'
32        OriginalFileName: 'jli.dll'
33        Product|startswith: 'OpenJDK Platform'
34        Signed: 'true'
35    condition: selection and not 1 of filter_main_*
36falsepositives:
37    - Unknown
38level: high

References

• The SOC files: Rumble in the jungle or APT41’s new target in Africa

  

  Kaspersky experts analyze an incident that saw APT41 launch a targeted attack on government IT services in Africa.

  
  Read More

• Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations

  

  The S2 Group’s intelligence team has identified through adversary tracking a new phishing campaign by Snake Keylogger, a Russian origin stealer programmed in .NET, targeting various types of victim...

  
  Read More

• jli.dll on HijackLibs

  

  Check out the entry for jli.dll on HijackLibs - it is loaded by applications vulnerable to DLL Hijacking!

  
  Read More

• Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting  | Proofpoint US

  

  Key findings  Between March and June 2025, Proofpoint Threat Research observed three Chinese state-sponsored threat actors conduct targeted phishing campaigns against the Taiwanese

  
  Read More

Related rules

• Potential System DLL Sideloading From Non System Locations
• Creation Of Non-Existent System DLL
• DLL Search Order Hijackig Via Additional Space in Path
• DLL Sideloading Of ShellChromeAPI.DLL
• Malicious DLL File Dropped in the Teams or OneDrive Folder