Potential JLI.dll Side-Loading

calendar Apr 28, 2026 · attack.persistence attack.privilege-escalation attack.execution attack.stealth attack.t1574.001  ·
Share on: linkedin copy

Detects potential DLL side-loading of jli.dll. JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm, and others in order to load malicious payloads in context of legitimate Java processes.

Sigma rule (View on GitHub)

 1title: Potential JLI.dll Side-Loading
 2id: 7a3b6d1f-4a2b-4f8c-9d7e-e9f8cbf21a35
 3status: experimental
 4description: |
 5    Detects potential DLL side-loading of jli.dll.
 6    JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm,
 7    and others in order to load malicious payloads in context of legitimate Java processes.    
 8references:
 9    - https://securelist.com/apt41-in-africa/116986/
10    - https://lab52.io/blog/snake-keylogger-in-geopolitical-affairs-abuse-of-trusted-java-utilities-in-cybercrime-operations/
11    - https://hijacklibs.net/entries/3rd_party/oracle/jli.html
12    - https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2025-07-25
15modified: 2025-10-06
16tags:
17    - attack.persistence
18    - attack.privilege-escalation
19    - attack.execution
20    - attack.stealth
21    - attack.t1574.001
22logsource:
23    category: image_load
24    product: windows
25detection:
26    selection:
27        ImageLoaded|endswith: '\jli.dll'
28    filter_main_legitimate_install_paths:
29        ImageLoaded|startswith:
30            # Keeping the paths generic as jli.dll was found inside various directories of installed software
31            - 'C:\Program Files\'
32            - 'C:\Program Files (x86)\'
33        Description: 'OpenJDK Platform binary'
34        OriginalFileName: 'jli.dll'
35        Product|startswith: 'OpenJDK Platform'
36        Signed: 'true'
37    filter_optional_eclipse:
38        ImageLoaded|startswith: 'C:\eclipse\plugins\'
39    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
40falsepositives:
41    - Unknown
42level: high

References

Related rules

to-top