This detection rule identifies potential side-loading of the JLI.dll file, often exploited by threat actors such as APT41 and XWorm to run malicious payloads using legitimate Java processes. The rule monitors for instances where JLI.dll is loaded into memory, specifically targeting cases where it does not originate from standard installation paths associated with the OpenJDK Platform. By analyzing the data collected from image load activities on Windows systems, the detection rule utilizes criteria surrounding legitimate installations to differentiate between benign and malicious attempts to invoke this critical library. The inclusion of signed files from trusted paths helps to minimize false positives, enhancing detection accuracy while maintaining a focus on security.