From Malspam to Fileless .NET Loader
Essential information
- Published
- 09/06/2026 15:50
- Modified
- 10/06/2026 08:30
- Tags
- 2026-06-09 amsi patching ddns c2 fileless malspam sandbox-detection
- Related entities
- 1 vulnerabilities (cve), 9 observables, 20 techniques (mitre), 7 others
Description
A sophisticated malspam campaign delivers a multi-stage .NET loader through an elaborate chain beginning with HTML email attachments. The attack routes through legitimate Google DoubleClick infrastructure to evade detection, then deploys a dynamically personalized phishing kit that pulls victim company branding in real-time. The infection chain progresses through JavaScript, PowerShell, and multiple .NET components, executing primarily in-memory while actively patching AMSI and ETW to blind Windows telemetry. The loader performs extensive anti-analysis checks, terminates or reboots upon detecting sandboxes or debugging tools, and establishes persistence through registry keys and scheduled tasks disguised as NVIDIA components. It targets Microsoft-signed binaries like InstallUtil.exe and MSBuild.exe for process injection, maintains C2 communications over non-standard ports using AES-encrypted protobuf messages, and profiles victim systems including specific GPU enumeration potentially for cryptocurrency min...