LOLBins – Analyzing attack techniques with MSBuild

MSBuild.exe is being abused as a LOLBins vector to run inline C# code and to download and execute payloads (including DLL sideloading and reverse shells). The report validates a Defender-bypass technique and describes a February 2026 phishing campaign that disguises a signed MSBuild executable and a malicious .csproj to fetch and execute additional files; it includes MD5 indicators and C2 URLs and recommends behavior- and context-based detections (process context, project file execution, network patterns, and DLL load analysis).