By: Senior Threat Analyst Published: 8 min read
In the shadowy corners of a Windows endpoint, where processes whisper between kernel and user mode, a file named phc.dll doesn't scream for attention. It doesn't have the notoriety of kernel32.dll or the ubiquity of ntdll.dll . Yet, when this Dynamic Link Library appears on a system—especially outside its canonical home—experienced incident responders lean closer to their screens. Phc.dll
| Artifact | Benign phc.dll | Malicious phc.dll | | :--- | :--- | :--- | | | Valid "Sophos Ltd" signature | Invalid signature, self-signed, or "No signature" | | Original Filename (from PE header) | phc.dll | beacon.x64.dll , msf.dll , or random string | | File Path | \Program Files\Sophos\ | \Temp\ , \Users\Public\ , \PerfLogs\ | | Parent Process | msiexec.exe or SophosSetup.exe | Outlook.exe , winword.exe , or powershell.exe -enc | | Network Behavior | None (local only) | Beaconing to port 443 or 80 on non-Sophos IPs | The Analyst's Verdict phc.dll is not a virus. It is not a rootkit. It is a namespace collision exploited by threat actors who understand that security teams are overworked and pattern-matching is their default state. By: Senior Threat Analyst Published: 8 min read