A legitimate Microsoft binary, a sideloaded DLL, and a memory-resident RAT show how attackers can turn normal loader behavior into a stealth delivery path.