New .NET AOT Malware Hides Code as a Black Box to Evade Detection
Researchers at Howler Cell discovered a sophisticated .NET AOT malware campaign that uses ahead-of-time compilation to strip metadata and evade detection by hiding code as a black box. The attack chain includes KeyAuth.exe downloader, bound_build.exe orchestrator, and payloads including the Rhadamanthys infostealer and XMRig cryptocurrency miner, with a scoring system that evaluates victim systems before executing to avoid sandbox detection.
Summary
Researchers at Howler Cell discovered a sophisticated .NET AOT malware campaign that uses ahead-of-time compilation to strip metadata and evade detection by hiding code as a black box. The attack chain includes KeyAuth.exe downloader, bound_build.exe orchestrator, and payloads including the Rhadamanthys infostealer and XMRig cryptocurrency miner, with a scoring system that evaluates victim systems before executing to avoid sandbox detection.
Full text
Security MalwareNew .NET AOT Malware Hides Code as a Black Box to Evade DetectionbyDeeba AhmedMarch 18, 20262 minute read Researchers at Howler Cell have discovered a new .NET AOT malware campaign that uses a clever scoring system to bypass security tools and steal your data. Cybersecurity researchers at Howler Cell have discovered a new multi-layered malware campaign that uses a specific programming method called .NET Ahead-of-Time (AOT) compilation to make the malware nearly invisible to standard security tools. For context, most modern software contains metadata (a digital map that helps security tools understand what a program is doing). This new AOT method strips that map away, turning the code into a black box, which forces experts to rely on manual, native-level tools to see what is actually happening under the hood. A Complex Game of Digital Hide-and-Seek The trouble usually starts with a suspicious link, likely spread through phishing emails. When a victim opens this ZIP file, they see several legitimate-looking modules that make the folder appear safe. However, the real threat is a file named KeyAuth.exe. When this downloader is active, it quietly fetches a second-stage file called bound_build.exe. As researchers probed further, they realised that bound_build.exe is the main architect for the attack. It is responsible for XOR-decrypting and launching two additional threats. The first, Crypted_build.exe, retrieves a notorious infostealer known as Rhadamanthys, whereas the second, Miner.exe, eventually installs MicrosoftEdgeUpdater, which is a disguised loader for the XMRig cryptocurrency miner. Attack chain (Source: Howler Cell) How the Malware Tests Your PC What makes this threat stand out is how it evaluates a computer before it strikes. Researchers noted that the loader uses a clever scoring system to figure out if it is running on a real victim’s PC or a researcher’s sandbox machine. It checks things like your RAM, adding points if you have over 8GB, and your system uptime. The malware even counts your files; if you have more than ten files in your Documents folder, it considers you a likely human target. Furthermore, it looks for common antivirus processes like WinDefend or Kaspersky. If the final score is below 5, the malware assumes it’s being watched and simply shuts itself down to avoid detection. Cracking the Black Box Despite these hurdles, the team at Howler Cell used a tool called Binary Ninja to break through the defences, the blog post reads. By creating a custom WARP signature, they could reconstruct the program’s inner workings. “WARP eliminated the need to manually inspect almost 4,000 library functions,” researchers noted. This process was a massive success, taking their visibility from less than 1% to over 85%. WARP detection of – Bound_build.exe (Source: Howler Cell) The key takeaway from this campaign is that hackers are getting better at staying dormant to evade detection. To stay safe, you should never download ZIP files from untrusted links, and keeping your system updated remains your best defence against these growing threats. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts .NETAOTBlack BoxCybersecurityMalwareRhadamanthys Leave a Reply Cancel reply View Comments (0) Related Posts Malware Security New Android Malware Surfaced, Only Way Out Throw Away Your Phone Researchers at Lookout Security have found a Shuanet malware that masquerades as some of the most downloaded apps… byUzair Amir Security Phishing Scam ‘Important Notification’ Phishing Scam Targeting American Express Customers In this phishing scam, the email is designed to appear as an authentic American Express notification. The email subject reads: “Important Notification About Your Account.” byDeeba Ahmed Read More Security Cyber Attacks News Microsoft Disables App Installer After Feature is Abused for Malware According to the Microsoft Threat Intelligence Team, threat actors labeled as 'financially motivated' utilize the ms-appinstaller URI scheme for malware distribution. byDeeba Ahmed Hacking News Security Debenhams Flowers Website Hacked; 26,000 Customers Impacted Debenhams, a British multinational retailer giant, said that its Flowers website was compromised and as a result, personal and… byUzair Amir
Indicators of Compromise
- malware — KeyAuth.exe
- malware — bound_build.exe
- malware — Crypted_build.exe
- malware — Miner.exe
- malware — Rhadamanthys
- malware — XMRig