Emerging Threathighexperimental

Katz Stealer DLL Loaded

Detects loading of DLLs associated with Katz Stealer malware 2025 variants. Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. The process that loads these DLLs are very likely to be malicious.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Thu May 22e6c7ab7c-c79d-4b84-b913-b2ec3f8e8a982025

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        ImageLoaded|endswith:
            - '\katz_ontop.dll'
            - '\AppData\Local\Temp\received_dll.dll'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0002 · Execution

Techniques

T1129 · Shared Modules

Other

detection.emerging-threats

Rule Metadata

Rule ID

e6c7ab7c-c79d-4b84-b913-b2ec3f8e8a98

Status

experimental

Level

high

Type

Emerging Threat

Created

Thu May 22

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules-emerging-threats/2025/Malware/Katz-Stealer/image_load_win_katz_stealer_payloads.yml

Raw Tags

attack.executionattack.t1129detection.emerging-threats

View on GitHub