Home » Cyber Security News » DLL Hijacking attacks: What is it and how to stay protected?

DLL Hijacking attacks: What is it and how to stay protected?

  • DLL Hijacking attacks are broadly categorized into three types – DLL search order attack, DLL side-loading attack, and Phantom DLL Hijacking attack.
  • For DLL hijacking attack to be successful, it would require an attacker to trick victims to open a file using a vulnerable application from a remote network location.

DLL Hijacking is an attack vector that could allow attackers to exploit Windows applications search and load Dynamic Link Libraries (DLL). If a web app is vulnerable to DLL Hijacking, attackers can load malicious DLLs in the PATH or other location that is searched by the application and have them executed by the application.

Types of DLL Hijacking attacks

DLL Hijacking attacks are broadly categorized into three types,

  • DLL search order attack
  • DLL side-loading attack
  • Phantom DLL Hijacking attack

DLL search order attack – If Windows OS search for the malicious DLL path in a specific order then it is DLL search order attack. Therefore, a malicious DLL can be placed in the search order, and the executable will load it.

DLL side-loading attack – DLL side-loading attack leverages WinSxS directory.

Phantom DLL Hijacking – Phantom DLL Hijacking attack uses very old DLLs that are still attempted to be loaded by apps. Attackers use this tactic and give the malicious DLL name in the Search Path and the new malicious code will be executed.

How does it work?

For DLL hijacking attack to be successful, it would require an attacker to trick victims to open a file using a vulnerable application from a remote network location. If the vulnerable application tries to load an external DLL from the same location, the attack will most likely be successful.

Examples of DLL Hijacking

Example 1 – Farseer malware employs DLL sideloading technique

Unit 42 research team recently uncovered a new malware dubbed Farseer that frequently-targets the Microsoft Windows operating system. Farseer malware leverages the ‘DLL sideloading’ technique to drop legitimate, signed binaries to the host. The malware uses ‘DLL sideloading’ to evade detection from antivirus software.

Example 2 – KerrDown distributed via DLL side-loading

Researchers recently spotted a custom downloader ‘KerrDown’ which is used by the OceanLotus threat actor group to infect victims with payloads such as Cobalt Strike Beacon.

OceanLotus was responsible for multiple attack campaigns against private sectors across multiple industries, foreign governments, activists, and dissidents connected to Vietnam.

Ocean Lotus threat actors leveraged two methods to deliver the ‘KerrDown’ downloader to the victims

  • Microsoft Office document with malicious macro, and
  • RAR archive which contains a legitimate program with DLL side-loading.

How to stay protected?

  • Researchers recommend enabling SafeDllSearchMode to prevent attackers from exploiting the search path.
  • It is also recommended to ensure that only signed DLLs are loaded for most systems process and applications.
  • In order to avoid DLL Hijacking, it is best to write secure code for loading DLL from specified path only.

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.


Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.


Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 9582 90 7788 | Support Number : +91-9654016484
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket