Spec-tac-ula Deserialization: Deploying Specula with .NET

This post demonstrates a proof-of-concept exploit chain that abuses insecure .NET BinaryFormatter deserialization to achieve remote code execution and in-memory assembly loading via ysoserial.net gadget chains (XamlAssemblyLoadFromFile). The author modifies ysoserial to accept DLLs, builds a payload that loads a custom assembly to modify registry keys, and shows how these modifications can deploy Specula (an Outlook webview backdoor) for persistence.