What is the Windows FAX DLL injection technique and how does it exploit fxsst.dll?

Windows FAX DLL injection exploits the fact that explorer.exe loads `fxsst.dll` from `C:\Windows\System32\` at startup if the fax service is enabled (default). By placing a malicious DLL named `fxsst.dll` in `C:\Windows\`, the system loads the attacker's DLL instead due to DLL search order hijacking. This publicly disclosed technique, referenced in the Analysis of Windows Backdoor Exploitation Methods in CIA Vault7 RDB, provides a simple yet effective persistence method.