Potential Vcruntime140 DLL Sideloading

calendar Jun 11, 2026 · attack.persistence attack.privilege-escalation attack.execution attack.stealth attack.t1574.001  ·
Share on: linkedin copy

Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library. Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc. Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.

Sigma rule (View on GitHub)

 1title: Potential Vcruntime140 DLL Sideloading
 2id: d7a63acb-1284-49bc-bfea-7771146c8b1c
 3status: experimental
 4description: |
 5    Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library.
 6    Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc.
 7    Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.    
 8references:
 9    - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties
10    - https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
11    - https://www.nextron-systems.com/2023/09/15/detecting-janelarat-with-yara-and-thor/
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2026-01-12
14modified: 2026-05-18
15tags:
16    - attack.persistence
17    - attack.privilege-escalation
18    - attack.execution
19    - attack.stealth
20    - attack.t1574.001
21logsource:
22    category: image_load
23    product: windows
24detection:
25    selection:
26        ImageLoaded|endswith: '\vcruntime140.dll'
27    filter_main_legitimate_path:
28        ImageLoaded|startswith:
29            - 'C:\Windows\System32\'
30            - 'C:\Windows\SysWOW64\'
31            - 'C:\Program Files\'
32            - 'C:\Program Files (x86)\'
33    filter_main_legitimate_signer:
34        Signed: true
35        SignatureStatus: 'Valid'
36        Description|endswith: 'C Runtime Library'
37    filter_optional_onedrive:
38        Image|startswith: 'C:\Users\'
39        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
40    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
41falsepositives:
42    - Unknown
43level: high
44regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml

References

Related rules

to-top