Bypass Record

DLL Side-Loading × Microsoft Defender

A publicly-reported instance of DLL Side-Loading bypassing Microsoft Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender

Technique

DLL Side-Loading

MITRE ATT&CK

T1574.002

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2026-05-11

Config / version noted

Not stated

Provenance

The DFIR Report
disclosed 2026-05-11 · original source · via ir

Reported as

Ransomware deployed via GPO after disabling Defender, adding exclusions, and clearing logs

Mechanism

EtherRAT retrieves C2 config from Ethereum blockchain via EtherHiding, using TryCloudflare tunnels. TukTuk uses DLL sideloading (e.g., Greenshot, SyncTrayzor) and communicates over SaaS platforms (ClickHouse, Supabase) with Arweave dead-drop resolver. Ransomware deployed via GPO after disabling Defender, adding exclusions, and clearing logs.

Detection & mitigation

Monitor for suspicious MSI executions, registry Run key persistence, and unusual Node.js/JavaScript processes. Detect DLL sideloading via unsigned DLLs loaded by signed binaries (e.g., Greenshot, SyncTrayzor). Inspect network traffic to SaaS platforms (ClickHouse, Supabase) and blockchain RPC endpoints (1rpc.io). Deploy endpoint detection rules for Defender tampering (exclusion additions, service stop) and GPO-based ransomware deployment.

DLL Side-Loading has also been recorded against

eScan ESET McAfee SentinelOne Xcitium Zabbix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.