{
	"id": "01333980-fe67-4661-b955-1de319807ac6",
	"created_at": "2026-04-06T00:10:00.296395Z",
	"updated_at": "2026-04-10T03:20:42.023523Z",
	"deleted_at": null,
	"sha1_hash": "bfcabb3f75750a8d8f91be6b7c3505fa1cbb0b00",
	"title": "Trojanized dnSpy app drops malware cocktail on researchers, devs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4156303,
	"plain_text": "Trojanized dnSpy app drops malware cocktail on researchers, devs\r\nBy Lawrence Abrams\r\nPublished: 2022-01-08 · Archived: 2026-04-05 16:21:18 UTC\r\nHackers targeted cybersecurity researchers and developers this week in a sophisticated malware campaign distributing a\r\nmalicious version of the dnSpy .NET application to install cryptocurrency stealers, remote access trojans, and miners.\r\ndnSpy is a popular debugger and .NET assembly editor used to debug, modify, and decompile .NET programs.\r\nCybersecurity researchers commonly use this program when analyzing .NET malware and software.\r\nWhile the software is no longer actively developed by the initial developers, the original source code and a new actively\r\ndeveloped version is available on GitHub to be cloned and modified by anyone.\r\nhttps://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nMalicious dnSpy delivers a cocktail of malware\r\nThis week, a threat actor created a GitHub repository with a compiled version of dnSpy that installs a cocktail of malware,\r\nincluding clipboard hijackers to steal cryptocurrency, the Quasar remote access trojan, a miner, and a variety of unknown\r\npayloads.\r\nThis new campaign was discovered by security researchers 0day enthusiast and MalwareHunterTeam who saw the malicious\r\ndnSpy project initially hosted at https://github[.]com/carbonblackz/dnSpy/ and then switching to\r\nhttps://github[.]com/isharpdev/dnSpy to appear more convincing.\r\nMalicious dnSpy GitHub repository\r\nSource: MalwareHunterTeam\r\nThe threat actors also created a website at dnSpy[.]net that was nicely designed and professional-looking. This site is now\r\ndown, but you can see a screenshot of the archived version below.\r\nMalicious dnSpy[.net] site\r\nSource:BleepingComputer\r\nTo promote the website, the threat actors performed successful search engine optimization to get dnSpy[.]net listed on the\r\nfirst page of Google. This domain was also listed prominently on Bing, Yahoo, AOL, Yandex, and Ask.com.\r\nhttps://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/\r\nPage 3 of 6\n\nAs a backup plan, they also took out search engine ads to appear as the first item in search results, as shown below.\r\nGoogle ad for fake dnSpy site\r\nSource: BleepingComputer\r\nThe malicious dnSpy application looks like the normal program when executed. It allows you to open .NET applications,\r\ndebug them, and perform all the normal functions of the program.\r\nFake dnSpy application\r\nSource: BleepingComputer\r\nHowever, when the malicious dnSpy application [VirusTotal] is launched, it will execute a series of commands that create\r\nscheduled tasks that run with elevated permissions.\r\nIn a list of the commands shared with BleepingComputer by MalwareHunterTeam, the malware performs the following\r\nactions:\r\nDisables Microsoft Defender\r\nUses bitsadmin.exe to download curl.exe to %windir%\\system32\\curl.exe.\r\nUses curl.exe and bitsadmin.exe to download a variety of payloads to the C:\\Trash folder and launch them.\r\nhttps://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/\r\nPage 4 of 6\n\nDisables User Account Control.\r\nCommands executed by fake dnSpy program\r\nSource: MalwareHunterTeam\r\nThe payloads are downloaded from http://4api[.]net/ and include a variety of malware listed below:\r\n%windir%\\system32\\curl.exe - The curl program.\r\nC:\\Trash\\c.exe - Unknown [VirusTotal]\r\nC:\\Trash\\ck.exe - Unknown\r\nC:\\Trash\\cbot.exe - Clipboard Hijacker [VirusTotal]\r\nC:\\Trash\\cbo.exe - Unknown [VirusTotal]\r\nC:\\Trash\\qs.exe - Quasar RAT [VirusTotal]\r\nC:\\Trash\\m.exe - Miner [VirusTotal]\r\nC:\\Trash\\d.exe - Legitimate Defender Control application to disable Microsoft Defender. [VirusTotal]\r\nC:\\Trash\\nnj.exe - Unknown\r\nThe clipboard hijacker (cbot.exe) uses cryptocurrency addresses used in previous attacks with some success. The bitcoin\r\naddress has stolen 68 bitcoin transactions totaling approximately $4,200.\r\nThe cryptocurrency addresses used as part of this campaign are:\r\nBitcoin: 175A7JNERg82zY3xwGEEMq8EyCnKn797Z4\r\nEthereum: 0x4dd10a91e43bc7761e56da692471cd38c4aaa426\r\nTron?: TPRNNuj6gpBQt4PLsNv7ZVeYHyRJGgJA61\r\nLitecoin: LQFiuJQCfRqcR9TjqYmi1ne7aANpyKdQpX\r\nAt this time, both the dnSpy[.]net and the GitHub repository used to power this campaign are shut down.\r\nHowever, security researchers and developers need to constantly be on the lookout for malicious clones of popular projects\r\nthat install malware on their devices.\r\nAttacks on cybersecurity researchers and developers are not new and are increasingly becoming more common to steal\r\nundisclosed vulnerabilities, source code, or gain access to sensitive networks.\r\nhttps://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/\r\nPage 5 of 6\n\nLast year, Google and security researchers discovered that state-sponsored North Korean hackers targeted vulnerability\r\nresearchers using a variety of lures. These lures included fake Visual Studio projects, Internet Explorer zero-day\r\nvulnerabilities, malicious cybersecurity companies, and malicious IDA Pro downloads.\r\nIOCs:\r\ndnSpy-net-win32.zip - 6112e0aa2a53b6091b3d7834b60da6cd2b3c7bf19904e05765518460ac513bfa\r\ndnSpy-net-win64.zip - 005526de4599f96a4a1eba9de9d6ad930de13d5ea1a23fada26e1575f4e3cf85\r\ncurl.exe - 0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205\r\nc.exe - cabc62b3077c2df3b69788e395627921c309e112b555136e99949c5a2bbab4f2\r\nck.exe - NA\r\ncbot.exe- 746a7a64ec824c63f980ed2194eb7d4e6feffc2dd6b0055ac403fac57c26f783\r\ncbo.exe- e998df840b687ec58165355c1d60938b367edc2967df2a9d44b74ad38f75f439/\r\nqs.exe - 70ad9112a3f0af66db30ebc1ab3278296d7dc36e8f6070317765e54210d06074\r\nm.exe - 8b7874d328da564aca73e16ae4fea2f2c0a811ec288bd0aba3b55241242be40d\r\nd.exe - 6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b\r\nnnj.exe - NA\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/\r\nhttps://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/"
	],
	"report_names": [
		"trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs"
	],
	"threat_actors": [],
	"ts_created_at": 1775434200,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bfcabb3f75750a8d8f91be6b7c3505fa1cbb0b00.pdf",
		"text": "https://archive.orkl.eu/bfcabb3f75750a8d8f91be6b7c3505fa1cbb0b00.txt",
		"img": "https://archive.orkl.eu/bfcabb3f75750a8d8f91be6b7c3505fa1cbb0b00.jpg"
	}
}