← Back to Explore
sigmahighHunting
Potential JLI.dll Side-Loading
Detects potential DLL side-loading of jli.dll. JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm, and others in order to load malicious payloads in context of legitimate Java processes.
Detection Query
selection:
ImageLoaded|endswith: \jli.dll
filter_main_legitimate_install_paths:
ImageLoaded|startswith:
- C:\Program Files\
- C:\Program Files (x86)\
Description: OpenJDK Platform binary
OriginalFileName: jli.dll
Product|startswith: OpenJDK Platform
Signed: "true"
filter_optional_eclipse:
ImageLoaded|startswith: C:\eclipse\plugins\
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Created
2025-07-25
Data Sources
windowsImage Load Events
Platforms
windows
References
- https://securelist.com/apt41-in-africa/116986/
- https://lab52.io/blog/snake-keylogger-in-geopolitical-affairs-abuse-of-trusted-java-utilities-in-cybercrime-operations/
- https://hijacklibs.net/entries/3rd_party/oracle/jli.html
- https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting
Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.001
Raw Content
title: Potential JLI.dll Side-Loading
id: 7a3b6d1f-4a2b-4f8c-9d7e-e9f8cbf21a35
status: experimental
description: |
Detects potential DLL side-loading of jli.dll.
JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm,
and others in order to load malicious payloads in context of legitimate Java processes.
references:
- https://securelist.com/apt41-in-africa/116986/
- https://lab52.io/blog/snake-keylogger-in-geopolitical-affairs-abuse-of-trusted-java-utilities-in-cybercrime-operations/
- https://hijacklibs.net/entries/3rd_party/oracle/jli.html
- https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-25
modified: 2025-10-06
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\jli.dll'
filter_main_legitimate_install_paths:
ImageLoaded|startswith:
# Keeping the paths generic as jli.dll was found inside various directories of installed software
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
Description: 'OpenJDK Platform binary'
OriginalFileName: 'jli.dll'
Product|startswith: 'OpenJDK Platform'
Signed: 'true'
filter_optional_eclipse:
ImageLoaded|startswith: 'C:\eclipse\plugins\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high