.NET AOT Malware Evades Detection with Black Box Code Obfuscation

Vaibhav March 18, 2026
.NET AOT Malware Evades Detection with Black Box Code Obfuscation
Post Views: 109

Researchers Uncover Stealthy .NET AOT Malware that Evades Detection by Masquerading as a Black Box

Cybersecurity experts have discovered a sophisticated .NET Ahead-of-Time (AOT) compilation malware campaign designed to bypass traditional security tools and pilfer sensitive data. This innovative malware employs a unique scoring system to evaluate potential targets, rendering it nearly invisible to standard security measures.

The Attack Process

The attack typically begins with a malicious link, often disseminated via phishing emails. Upon opening the accompanying ZIP file, victims are presented with several legitimate-appearing modules, obscuring the true threat: a file named KeyAuth.exe. However, researchers found that bound_build.exe is the primary architect of the attack, responsible for XOR-decrypting and launching two additional threats.

The Malware’s Components

  • The first threat, Crypted_build.exe, retrieves the notorious Rhadamanthys infostealer.
  • The second, Miner.exe, is used for malicious purposes.

The Scoring System

The malware’s loader utilizes a clever scoring system to determine whether it is running on a genuine victim’s PC or a researcher’s sandbox machine. This evaluation process assesses various system attributes, including RAM, system uptime, and the number of files in the Documents folder.

Evasion Techniques

The malware also searches for common antivirus processes, such as WinDefend or Kaspersky. If the final score is below 5, the malware assumes it is being monitored and terminates itself to avoid detection.

“This complex scoring system enables the malware to remain dormant and evade detection.”

Breaking the Malware’s Defenses

Despite these challenges, researchers successfully breached the malware’s defenses using a tool called Binary Ninja. By creating a custom WARP signature, they were able to reconstruct the program’s inner workings, significantly improving visibility from less than 1% to over 85%.

Conclusion

The key takeaway from this campaign is that threat actors are becoming increasingly adept at remaining dormant to avoid detection. To stay safe, users should exercise extreme caution when interacting with suspicious links and emails, and maintain robust security measures to prevent falling prey to such stealthy malware attacks.



About Author

Vaibhav

See author's posts

More Stories

www.news4hackers.com-two-us-cybersecurity-experts-jailed-for-involvement-with-blackcat-ransomware-attacks-two-us-cybersecurity-experts-jailed-for-involvement-with-blackcat-ransomware-attacks

Two US Cybersecurity Experts Jailed for Involvement with BlackCat Ransomware Attacks

Vaibhav May 2, 2026
www.news4hackers.com-nsa-tests-advanced-ai-tool-for-identifying-microsoft-security-weaknesses-nsa-tests-advanced-ai-tool-for-identifying-microsoft-security-weaknesses

NSA Tests Advanced AI Tool for Identifying Microsoft Security Weaknesses

Vaibhav May 2, 2026
www.news4hackers.com-hyderabad-police-cracks-down-on-mule-accounts-used-for-financial-fraud-hyderabad-police-cracks-down-on-mule-accounts-used-for-financial-fraud

Hyderabad Police Cracks Down on Mule Accounts Used for Financial Fraud

Vaibhav May 2, 2026

Latest Cyber Security News

www.news4hackers.com-retiree-loses-lakhs-to-cyber-scam-via-fake-bank-app-retiree-loses-lakhs-to-cyber-scam-via-fake-bank-app

Retiree Loses Lakhs to Cyber Scam via Fake Bank App

Vaibhav May 3, 2026
www.news4hackers.com-jharkhand-treasury-scandal-exposed-50-crore-fraudulent-transactions-uncovered-jharkhand-treasury-scandal-exposed-50-crore-fraudulent-transactions-uncovered

Jharkhand Treasury Scandal Exposed: ₹50 Crore Fraudulent Transactions Uncovered

Vaibhav May 3, 2026
www.news4hackers.com-muzaffarpur-man-falls-victim-to-online-investment-scam-loses-lakhs-muzaffarpur-man-falls-victim-to-online-investment-scam-loses-lakhs

Muzaffarpur Man Falls Victim to Online Investment Scam, Loses Lakhs

Vaibhav May 3, 2026
www.news4hackers.com-critical-linux-kernel-vulnerability-exploited-in-linux-update-and-cpanel-breach-critical-linux-kernel-vulnerability-exploited-in-linux-update-and-cpanel-breach

Critical Linux Kernel Vulnerability Exploited in Linux Update and cPanel Breach

Vaibhav May 3, 2026
www.news4hackers.com-bangladesh-introduces-cyberbullying-unit-to-protect-women-children-online-bangladesh-introduces-cyberbullying-unit-to-protect-women-children-online

Bangladesh Introduces Cyberbullying Unit to Protect Women & Children Online

Vaibhav May 3, 2026
en_USEnglish
en_USEnglish