logo

Inside .NET Loader Analysis: From Malspam to In-Memory Loader

ID: f4cb505b-5b8e-5284-8c43-9ac6998d6954

STIX ID: report--f4cb505b-5b8e-5284-8c43-9ac6998d6954

Feed Name: Huntress Blog

Threat Score
78/100

Date Published: 2026-06-03

Date Updated: 2026-06-11

...
...

A Huntress Labs technical analysis describes a malspam campaign that routes victims through DoubleClick to a dynamic malspam kit which personalizes lures, delivering a ZIP containing a heavily obfuscated JScript loader that spawns staged PowerShell and a .NET loader. The multi-stage chain performs extensive anti-analysis checks, disables and excludes Microsoft Defender, patches AMSI/ETW, performs reflective .NET loads and RunPE process hollowing into MSBuild/InstallUtil, establishes persistence via Run/RunOnce and scheduled tasks, communicates with AES/RSA-protected C2, and provides operator-configurable payload delivery modes; the report includes IoCs and recommended mitigations.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.