DLL side-loading remains one of the most effective techniques for maintaining persistent access to compromised systems, precisely because it masquerades as legitimate application behaviour. Recent activity attributed to the Iranian-aligned MuddyWater group demonstrates the technique's continued potency: a campaign spanning nine countries across four continents in early 2026 exploited this method to target manufacturing, education, finance, and government organisations.
How DLL Side-Loading Works in Practice
Side-loading (also called DLL search-order hijacking) occurs when a legitimate, signed application loads a malicious DLL from an unexpected location rather than the system's default search path. When Windows searches for a required library, it checks the application's directory first, before system directories. An attacker places a malicious DLL with the same name as a legitimate system or third-party library in that application directory. The legitimate executable then unwittingly loads and executes the attacker's code.
The technique's appeal lies in its stealth: the parent process is signed and legitimate, making it less likely to trigger behaviour-based detection rules. EDR (endpoint detection and response) systems that monitor process creation or API calls may flag outright malware injection, but a side-loaded DLL in a trusted application's directory often slips through.
MuddyWater's reported use of this method across industrial controls, manufacturing systems, and government networks suggests a well-resourced group with knowledge of target infrastructure—and confidence that their victims would run vulnerable versions of common applications.
Detection Requires Visibility Into File Operations
Traditional signature-based antivirus struggles with side-loading because the malicious DLL itself can be polymorphic or obfuscated, and the parent process is legitimate. Detection requires three layers of visibility:
- File integrity monitoring. Track unexpected DLL creation or modification in application directories, especially for rarely-updated applications or tools from vendors with large install bases.
- Library loading audits. Monitor which DLLs are actually loaded by common executables. Deviations—a CAD tool loading an unusual crypto library, for instance—warrant investigation.
- Behavioural analysis. A legitimate application making network requests, writing to registry, or spawning child processes it normally doesn't is a red flag, even if its code signature is clean.
Organisations running on-premises infrastructure benefit from deploying EDR solutions that can correlate these signals. Cloud or hybrid environments need equivalent logging and analysis—syslog from Windows Event Viewer, process execution logs, and DLL load events sent to a centralised SIEM.
Mitigation: Patch, Whitelist, and Isolate
Side-loading thrives on outdated software. Vendors frequently patch DLL search-order issues or eliminate unsafe library loading patterns. A disciplined patching cadence—especially for applications that interact with sensitive data or run in privileged contexts—is the first line of defence.
Application whitelisting, where only authorised executables and libraries are permitted to run, can block side-loading outright. However, whitelisting is operationally demanding in environments with frequent software updates or bespoke applications. A middle ground is to whitelist trusted vendors' signing certificates and block unsigned DLLs from loading in sensitive process contexts.
Network segmentation matters too. If manufacturing control systems or financial servers are isolated from general corporate networks, and outbound connections from those segments are restricted to known systems, an attacker gains little from loading a DLL that can only reach their own hardware.
Recent reporting on MuddyWater's campaign noted that affected sectors included industrial manufacturing and public administration—environments where legacy systems, infrequent patching, and air-gapped networks can coexist uneasily. That mix creates an attractive target for persistent adversaries.
The Broader Lesson
DLL side-loading persists because it exploits a fundamental asymmetry: defenders must protect every application and every directory, whilst attackers need only find one overlooked, vulnerable instance. There is no silver bullet. Defence requires combining proactive patching, real-time visibility, and network controls that assume compromise.
For infrastructure teams managing production systems, the practical takeaway is straightforward: audit your application directories for unexpected files, configure file integrity monitoring on critical paths, and ensure your logging captures library loading activity. Espionage campaigns like MuddyWater's work at scale precisely because most organisations have not done these basics.
