Hackers targeted cybersecurity researchers and developers this week in a sophisticated malware campaign distributing a malicious version of the dnSpy .NET application to install cryptocurrency stealers, remote access trojans, and miners.
dnSpy is a popular debugger and .NET assembly editor used to debug, modify, and decompile .NET programs. Cybersecurity researchers commonly use this program when analyzing .NET malware and software.
While the software is no longer actively developed by the initial developers, the
original source code and a new
actively developed version is available on GitHub to be cloned and modified by anyone.
Malicious dnSpy delivers a cocktail of malware
This week, a threat actor created a GitHub repository with a compiled version of dnSpy that installs a cocktail of malware, including clipboard hijackers to steal cryptocurrency, the Quasar remote access trojan, a miner, and a variety of unknown payloads.