This analytic rule detects the loading of specific DLL modules that are associated with the GraphicalProton backdoor implant, a tool frequently utilized by state-sponsored actors (SVR) in targeted cyberattacks. The rule leverages Sysmon EventCode 7, which provides detailed information about DLLs being loaded into processes. The keys to identifying this malicious activity lie in monitoring the loading of specific, hard-coded DLL names commonly linked to this backdoor. Detection of any of these DLLs during runtime should raise an alarm for immediate investigation, as this could indicate the presence of a sophisticated persistent threat actor on the system. If malicious use is confirmed, the potential for data exfiltration or further exploitation is high, necessitating prompt remediation actions.