Potential Python DLL SideLoading

 1title: Potential Python DLL SideLoading
 2id: d36f7c12-14a3-4d48-b6b8-774b9c66f44d
 3status: test
 4description: Detects potential DLL sideloading of Python DLL files.
 5references:
 6    - https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/
 7    - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/
 8    - https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python
 9author: Swachchhanda Shrawan Poudel
10date: 2024-10-06
11modified: 2025-08-18
12tags:
13    - attack.defense-evasion
14    - attack.t1574.001
15logsource:
16    category: image_load
17    product: windows
18detection:
19    selection:
20        ImageLoaded|endswith:
21            - '\python39.dll'
22            - '\python310.dll'
23            - '\python311.dll'
24            - '\python312.dll'
25    filter_main_default_install_paths:
26        - ImageLoaded|startswith:
27              - 'C:\Program Files\Python3'
28              - 'C:\Program Files (x86)\Python3'
29        - ImageLoaded|contains: '\AppData\Local\Programs\Python\Python3'
30    filter_optional_visual_studio:
31        ImageLoaded|startswith: 'C:\Program Files\Microsoft Visual Studio\'
32    filter_optional_anaconda:
33        ImageLoaded|startswith: 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
34    filter_optional_cpython:
35        ImageLoaded|contains:
36            - '\cpython\externals\'
37            - '\cpython\PCbuild\'
38    filter_optional_pyinstaller:
39        # Triggered by programs bundled with PyInstaller
40        ImageLoaded|startswith: 'C:\Users'
41        ImageLoaded|contains: '\AppData\Local\Temp\_MEI'
42    filter_main_legit_signature_details:
43        Product: 'Python'
44        Signed: 'true'
45        Description: 'Python'
46        Company: 'Python Software Foundation'
47    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
48falsepositives:
49    - Legitimate software using Python DLLs
50level: medium

References

• New SEO#LURKER Attack Campaign: Threat Actors Use SEO Poisoning and Fake Google Ads to Lure Victims Into Installing Malware

  

  Explore how SEO poisoning and malvertising target WinSCP users, with insights from Securonix Threat Research on this ongoing campaign.

  
  Read More

• Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

  

  Key Takeaways In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner. Nitrogen was leveraged to deploy Sli…

  
  Read More

• HijackLibs/yml/3rd_party/python at dc9c9f2f94e6872051dab58fbafb043fdd8b4176 · wietze/HijackLibs

  

  Project for tracking publicly disclosed DLL Hijacking opportunities. - wietze/HijackLibs

  
  Read More

Related rules

• Potential DLL Sideloading Of MsCorSvc.DLL
• Potential System DLL Sideloading From Non System Locations
• Potential DLL Sideloading Of DbgModel.DLL
• Potential DLL Sideloading Of MpSvc.DLL
• Potential Raspberry Robin Aclui Dll SideLoading