Windows BitDefender Submission Wizard DLL Sideloading

name: Windows BitDefender Submission Wizard DLL Sideloading
id: a1b2c3d4-e5f6-4789-a012-3456789abcde
version: 1
date: '2026-03-13'
author: Michael Haag, Splunk
status: experimental
type: TTP
description: |
    Detects DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) when a malicious log.dll is loaded from a non-standard path via Sysmon ImageLoad events.
data_source:
    - Sysmon EventID 7
search: |-
    `sysmon`
    EventCode=7
    (
        Image IN (
            "*\\BDSubmit.exe",
            "*\\bdsw.exe",
            "*\\BluetoothService.exe"
        )
        OR
        OriginalFileName IN (
            "BDSubmit.exe",
            "bdsw.exe"
        )
    )
    ImageLoaded="*\\log.dll"
    NOT ImageLoaded IN (
        "*:\\Program Files (x86)\\*",
        "*:\\Program Files\\*",
        "*:\\Windows\\System32\\*",
        "*:\\Windows\\SysWOW64\\*"
    )
    | stats count min(_time) as firstTime
                  max(_time) as lastTime
      by dest Image ImageLoaded Signed SignatureStatus User OriginalFileName loaded_file
         loaded_file_path process_exec process_guid process_hash process_id process_name
         process_path service_dll_signature_exists service_dll_signature_verified signature
         signature_id user_id vendor_product
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_bitdefender_submission_wizard_dll_sideloading_filter`
how_to_implement: |
    Ingest Sysmon ImageLoad events and ensure the Splunk Add-on for Sysmon is configured to parse them. Enable ImageLoad in Sysmon config for DLLs. Map logs to Endpoint data model where applicable.
known_false_positives: |
    Legitimate Bitdefender installations loading log.dll from Program Files are excluded. Allowlist known paths as needed.
references:
    - https://attack.mitre.org/techniques/T1574/002/
    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
    - https://attack.mitre.org/groups/G0065/
drilldown_searches:
    - name: View the detection results for - "$dest$" and "$User$"
      search: '%original_detection_search% | search dest = "$dest$" User = "$User$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$" and "$User$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$User$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Bitdefender Submission Wizard loaded $ImageLoaded$ from a non-standard path on $dest$ by user $User$, indicating potential DLL side-loading activity.
    risk_objects:
        - field: dest
          type: system
          score: 50
        - field: User
          type: user
          score: 50
    threat_objects:
        - field: Image
          type: process_name
        - field: ImageLoaded
          type: file_name
tags:
    analytic_story:
        - Lotus Blossom Chrysalis Backdoor
    asset_type: Endpoint
    mitre_attack_id:
        - T1574
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
    cve: []