Article content Network intrusion detection software can also be used to monitor for specific malicious activity. The attack starts with DLL (Dynamic Link Library) hijacking. It involves using a legitimate application to preload a malicious DLL file. Attackers commonly abuse the Windows DLL Search Order and take advantage of this to load a malicious DLL file instead of the legitimate one, the report notes. Usually, DLL files load through a Windows service called rundll32.exe. In the case of Pingback, a malicious DLL file called oci.dll (Pingback) was somehow indirectly loaded through a legitimate service called msdtc (Microsoft Distributed Transaction Coordinator). This service coordinates transactions that span multiple machines, such as databases, message queues, and file systems.