Potential Vcruntime140 DLL Sideloading

calendar Apr 28, 2026 · attack.persistence attack.privilege-escalation attack.execution attack.stealth attack.t1574.001  ·
Share on: linkedin copy

Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library. Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc. Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.

Sigma rule (View on GitHub)

 1title: Potential Vcruntime140 DLL Sideloading
 2id: d7a63acb-1284-49bc-bfea-7771146c8b1c
 3status: experimental
 4description: |
 5    Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library.
 6    Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc.
 7    Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.    
 8references:
 9    - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties
10    - https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
11    - https://www.nextron-systems.com/2023/09/15/detecting-janelarat-with-yara-and-thor/
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2026-01-12
14tags:
15    - attack.persistence
16    - attack.privilege-escalation
17    - attack.execution
18    - attack.stealth
19    - attack.t1574.001
20logsource:
21    category: image_load
22    product: windows
23detection:
24    selection:
25        ImageLoaded|endswith: '\vcruntime140.dll'
26    filter_main_legitimate_path:
27        ImageLoaded|startswith:
28            - 'C:\Windows\System32\'
29            - 'C:\Windows\SysWOW64\'
30            - 'C:\Program Files\'
31            - 'C:\Program Files (x86)\'
32    filter_main_legitimate_signer:
33        Signed: true
34        SignatureStatus: 'Valid'
35        Description: 'Microsoft® C Runtime Library'
36    condition: selection and not 1 of filter_main_*
37falsepositives:
38    - Unknown
39level: high
40regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml

References

Related rules

to-top