DLL side-loading is a Windows technique in which a legitimate application loads a malicious dynamic-link library (DLL) from a location the attacker controls. The program itself may be trusted or signed, so the malicious code runs inside an ordinary-looking process. Attackers abuse the Windows DLL search order or place a rogue library beside the executable so it is loaded before the real one.
This matters because it helps malware blend in, bypass simple allowlists, and inherit the credibility of the host program. In real attacks, side-loading is often used to start payloads quietly, persist on a system, or hide activity behind trusted software such as updaters or security tools. Defenders look for unusual DLL paths, mismatches between a signed executable and the modules it loads, and suspicious image-load events. Application control, safe DLL loading settings, and telemetry from tools like Sysmon can help reveal this abuse.



