Detects a DLL decoding and execution of the PowGoop (MudddyWater loader) config.txt payload, representing the stage where an obfuscated PowerShell beacon is unwrapped and live C2 communication begins. PowGoop has been the primary initial-access loader for MuddyWater (also known as SeedWorm, Static Kitten, MERCURY) since ~2020. The loader abuses DLL side-loading against a fake GoogleUpdate.exe to run a multi-stage decoding chain, culminating in a PowerShell-based backdoor disguised with a benign extension. The config.txt contains a hardcoded C2 address and victim GUID, beaconing via a modified base64-encoded HTTP channel, with C2 traffic executed under the legitimate Google Update process to evade network monitoring. The rule targets endpoint telemetry to identify this activity and uses endpoint process data to correlate the loading chain and payload execution. The detection is implemented as a Splunk search over the Endpoint data model, filtering for a rundll32.exe parent process invoking powershell.exe with command-line fragments such as FromBase64String and references to config.txt, which indicate the staged decoding and beacon setup. This maps to MITRE techniques T1059.001 (PowerShell) and T1001 (Exfiltration/C2).