{ "id": "9304ce6c-33b1-488e-adcf-887b139250dc", "created_at": "2026-04-06T00:08:23.011985Z", "updated_at": "2026-04-10T03:37:08.584355Z", "deleted_at": null, "sha1_hash": "d09208e487c0519616363372d90c35fff8e81033", "title": "Threat Actors Use MSBuild to Deliver RATs Filelessly", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3376605, "plain_text": "Threat Actors Use MSBuild to Deliver RATs Filelessly\r\nBy Anomali Threat Research\r\nPublished: 2025-12-18 · Archived: 2026-04-05 19:17:39 UTC\r\nMicrosoft Build Engine or MSBuild to filelessly deliver Remcos remote access tool or RATs and a password-stealing\r\nmalware commonly known as RedLine Stealer.\r\nOverviewTechnical AnalysisShellcodePayloadsConclusionEndnotesAppendix AAppendix BAppendix C\r\nAuthored by: Tara Gould and Gage Mele\r\nKey Findings\r\nAnomali Threat Research identified a campaign in which threat actors used Microsoft Build Engine (MSBuild) to\r\nfilelessly deliver Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine\r\nStealer\r\nThis campaign, which has low or zero detections on antivirus tools, appears to have begun in April 2021 and was still\r\nongoing as of May 11, 2021.\r\nWe were unable to determine how the .proj files were distributed, and are unable to make a confident assessment on\r\nattribution because both RemcosRAT and RedLine Stealer are commodity malware.\r\nOverview\r\nAnomali Threat Research discovered a campaign in which threat actors used MSBuild - a tool used for building apps and\r\ngives users an XML schema “that controls how the build platform processes and builds software” - to filelessly deliver\r\nRemcosRAT, and RedLine stealer using callbacks.[1] The malicious MSBuild files we observed in this campaign contained\r\nencoded executables and shellcode, with some, hosted on Russian image-hosting site, “joxi[.]net.” While we were unable to\r\nhttps://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly\r\nPage 1 of 7\n\ndetermine the distribution method of the .proj files, the objective of these files was to execute either Remcos or RedLine\r\nStealer. The majority of the samples we analyzed deliver Remcos as the final payload.\r\nInfection chain\r\nFigure 1 - Infection chain\r\nTechnical Analysis\r\nMSBuild\r\nMSBuild is a development tool used for building applications, especially where Visual Studio is not installed.[2] MSBuild\r\nuses XML project files that contain the specifications to compile the project and, within the configuration file, the\r\n“UsingTask” element defines the task that will be compiled by MSBuild. In addition, MSBuild has an inline task feature that\r\nenables code to be specified and compiled by MSBuild and executed in memory. This ability for code to be executed in\r\nmemory is what enables threat actors to use MSBuild in fileless attacks.\r\nA fileless attack is a technique used by threat actors to compromise a machine while limiting the chances of being detected.\r\n[3]\r\n Fileless malware typically uses a legitimate application to load the malware into memory, therefore leaving no traces of\r\ninfection on the machine and making it difficult to detect. An analysis by network security vendor WatchGuard released in\r\n2021 showed a 888% increase in fileless attacks from 2019 to 2020, illustrating the massive growth in the use of this attack\r\ntechnique, which is likely related to threat actor confidence that such attacks will be successful.[4]\r\nMSBuild Project File (.proj) Analysis\r\nAnalyzed File – imaadp32.proj\r\nMD5 – 45c94900f312b2002c9c445bd8a59ae6\r\nThe file we analyzed is called “imaadp32.proj,” and as shown in Figure 2 below, is an MSBuild project file (.proj). For\r\npersistence, mshta is used to execute a vbscript that runs the project file, with a shortcut file (.lnk) added to the startup folder\r\n(Figure 3).\r\nMSBuild Project Schema for immadp32.proj\r\nFigure 2 - MSBuild Project Schema for immadp32.proj\r\n.lnk Registry Run Key Created in Startup Folder\r\nFigure 3 - .lnk File Created in Startup Folder\r\nFollowing the creation of persistence, two large arrays of decimal bytes were decoded by the function shown in Figure 4.\r\nDecoding Function\r\nFigure 4 - Decoding Function\r\nPorting the decoding function to Python, we created a script (Figure 5 below). By using the variable “dec_list” to contain the\r\ndecimal to be converted, and the variable “key” representing the string found at the end of decimal, we decoded the\r\nfunction.\r\n def decode_array(dec_list, key): key_array = [] position_array = [] for position in list(range(256))\r\nFigure 5 - Python Script to Decode\r\nThe output decimal list from this function was then converted from bytes, resulting in an executable for the first block and\r\nshellcode for the second block.\r\nShellcode\r\nThe malware and shellcode were allocated memory in the process space using VirtualAlloc. After being copied into memory,\r\nthe shellcode was executed using the callback function pointer in CallWindowProc, shown in Figure 6 below. Other samples\r\nleverage the function Delegate.DynamicInvoke instead.\r\nShellcode and Payload Being Loaded Into Memory\r\nFigure 6 - Shellcode and Payload Being Loaded Into Memory\r\nEncoded shellcode in Project File\r\nFigure 7 - Encoded shellcode in Project File\r\nThe shellcode (encoded shown in Figure 7 above) calls, shown in Figure 8 below, were mainly: LoadLibraryW,\r\nVirtualAlloc, CreateProccessW, and ZwUnmapViewOfSection. LoadLibraryW loads the module, VirtualAlloc allocates the\r\nhttps://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly\r\nPage 2 of 7\n\nmemory, CreateProcessW created a process, and ZwUnmapViewOfSection is used to unmap memory from a virtual space.\r\nThese were used to inject the payload into process memory.\r\nCalls made by the shellcode\r\nFigure 8 - Calls made by the shellcode\r\nPayloads\r\nRemcosRAT\r\nAnalyzed File –\r\nMD5 – 04fc0ca4062dd014d64dcb2fe8dbc966\r\nThe payload from the project files was a remote access tool (RAT) called Remcos. Remcos is a commercial software created\r\nby Breaking Security that, according to their user manual, can be used for remote control, remote admin, remote anti-theft,\r\nremote support and pentesting.[5] However, Remcos has often been used by threat actors for malicious purposes. The\r\nsoftware, written in C++, enables full access to the infected machine with features including, but not limited to:\r\nAnti-AV\r\nCredential harvesting\r\nGathering system information\r\nKeylogging\r\nPersistence\r\nScreen capture\r\nScript execution\r\nThe themes used by actors to distribute Remcos have varied, including changes designed to adapt to themes or timeframes.\r\nFor example, recent Remcos campaigns were observed utilizing Tax Day lures.[6] The version used in this campaign was\r\n2.6.0, which was released in July 2020 (Figure 9). Additional functions Remcos has been known to utilize are shown in\r\nTable 1 below. The persistence technique is simply adding a run registry key for persistence (Figure 11). Remcos has also\r\nbeen observed using its “Watchdog” feature to restart the RAT if it is terminated (Figure 12).\r\nRemcos Version 2.6.0 Being Used\r\nFigure 9 - Remcos Version 2.6.0 Being Used\r\nconnecting to C2\r\nFigure 10 - connecting to C2\r\nAdds Run Registry Key for Persistence\r\nFigure 11 - Adds Run Registry Key for Persistence\r\nWatchdog Module\r\nFigure 12 - Watchdog Module\r\nFigure 12 shows the “Watchdog” module which restarts Remcos in the event the program is terminated.\r\nTable 1 - Remcos 2.6.0 Features\r\nRemote Scripting Notifications\r\nWebcam Capture Remote Command Line\r\nClear Logins Remote Chat\r\nFile Manager Remote Input\r\nMicrophone Capture SOCKS Proxy\r\nKeylogger Login Cleaner\r\nScreen Logger Local Utilities\r\nBrowser History Registry Editor\r\nPassword Recovery Visibility mode\r\nRedLine Stealer\r\nAnalyzed File – rehoboams.exe\r\nMD5 – 6d3e8a2802848d259a3baaaa78701b97\r\nhttps://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly\r\nPage 3 of 7\n\nIn a similar MSBuild project file to the Remcos dropping .proj file, we found another project file named “vwnfmo.lnk“\r\nwhere RedLine Stealer was dropped instead of Remcos, shown in Figure 13 below. RedLine Stealer is written in .NET and\r\nhas been observed stealing multiple types of data (full list shown in Table 2 below), including: :\r\nCookies\r\nCredentials (chat clients, VPNs, crypto wallets, browser )\r\nCrypto wallet\r\nNordVPN (existence of and credentials)\r\nStored web browser information (credit card, username, and password)\r\nSystem Information\r\nRedLine will search for the existence of multiple products that include cryptocurrency software, messaging apps, VPNs, and\r\nweb browsers (full list shown in Table 2 below).\r\nRedLine .NET Information Stealer\r\nFigure 13 - RedLine .NET Information Stealer\r\nRedLine Functions\r\nFigure 14 - RedLine Functions\r\nChecks for NordVPN Installation\r\nFigure 15 - Checks for NordVPN Installation\r\nFigure 15 above shows RedLine checking for NordVPN on the machine. If the path exists, the next function of this malware\r\nis to check for the user config to steal the credentials. This function also enables RedLine to steal credentials for additional\r\ninstalled applications.\r\nTable 2 - Installs RedLine Scans for\r\nChrome GameLauncher for Steam\r\nFilezilla Guarda\r\nGecko Jaxx\r\nArmory Metamask\r\nAtomic Monero\r\nCoinom OpenVPN\r\nDesktopMessenger for Telegram NordVPN\r\nDiscord ProtonVPN\r\nElectrum Tronlink\r\nEthereum Yoroi\r\nConclusion\r\nThe threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is\r\nused by actors for a variety of objectives and motivations. This campaign highlights that reliance on antivirus software alone\r\nis insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and\r\ngrowing exponentially. Focusing on cybersecurity training and hygiene, as well as a defense-in-depth strategy, are some\r\nrecommended courses of action for countering this threat.\r\nEndnotes\r\n[1]\r\n “MSBuild,” Microsoft Visual Studio Docs, accessed May 3, 2021, published November 4, 2016,\r\nhttps://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2019.\r\n[2]\r\n Ibid.\r\n[3]\r\n “What Is Fileless Malware?,” McAfee, accessed May 3, 2021, https://www.mcafee.com/enterprise/en-gb/security-awareness/ransomware/what-is-fileless-malware.html.\r\n[4]\r\n “Internet Security Report – Q4 2020,” WatchGuard, accessed May 4, 2021, published March 30, 2021,\r\nhttps://www.watchguard.com/uk/wgrd-resource-center/security-report-q4-2020, 3.\r\nhttps://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly\r\nPage 4 of 7\n\n[5]\r\n “Remcos Instructions Manual,” Breaking Security, accessed May 4, 2021, published July 2018, https://breaking-security.net/wp-content/uploads/dlm_uploads/2018/07/Remcos-Instructions-Manual-rev19.pdf, 15-16.\r\n[6]\r\n Daniel Frank, “Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware,”\r\nCybereason, accessed May 4, 2021, published March 18, 2021, https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers.\r\nAppendix A\r\nIOCs\r\nProject File Payload C2 Details\r\n45c94900f312b2002c9c445bd8a59ae6\r\nRemcos\r\n04fc0ca4062dd014d64dcb2fe8dbc966\r\n135.181.170.169:50845  \r\nd8a57534382a07cc0487b96350bca761\r\nRemcos\r\neb8b1d64429e00f2b3b49f886ee3b0b4\r\n  http://dl4.joxi.net/drive/2021/04/15/00\r\nd52d6bad3d11e9a72998608ccca572f5\r\nRemcos\r\n41c0bb6e89ad89af8eef7bec40d4acbb\r\n   \r\nd66740b3ed3884c31d40e3747684411e\r\nRedLine\r\n302207c3248257d4d9badf4bc4b75483\r\nsvhost-system-update.net:80\r\nhttp://dl4.joxi.net/drive/2021/04/19/00\r\n43660f882cc5971ab83a810398487317\r\nRedLine\r\n6d3e8a2802848d259a3baaaa78701b97\r\n37.1.206.16:7575  \r\n192b8ee95537dda7927ba3b45183e6a4\r\nRemcos\r\nb8e9ce084d9d49f565f850c59b003bcf\r\n  http://joxi.net/52ap4j7tkJER7m.proj\r\n1ae425ac2890283ddcf11946e7e8f6ae\r\nQuasarRat\r\n723f5e75239b66e3d08b83a131c7b66c\r\n   \r\n20621960888a6299123ce5a2df5eabba\r\nRemcos\r\nf174c03d177a04e81677e9c9a9eae0c8\r\n   \r\n27b62f7b4b285b880b8c81960aa60b15\r\nRemcos\r\ncf45b793bc9ec86bfedfa165c01ede15\r\n   \r\n2d15a4c9184878e25bdf108bd58290b8\r\nRemcos\r\nde2ff99ca086a8ad0f9b8027aef696ba\r\n   \r\n37bbbbc44c80ff4fe770ce78f6a37ebd\r\nRemcos\r\n73790d28f4f8f0f4c402da66c8dc393f\r\n   \r\n603b1cc2d5488dcd8bb0a3b14429c88b\r\nRemcos\r\n23c5bc4a2e69c3f171561b524ceb4098\r\n   \r\n62c8efb35b3b9c10e965ec5a236fed2d\r\nRemcos\r\n4def35aedc86a946c13118e14127e0e9\r\n   \r\na948e8d3222b9fa8ccbd091230098b78\r\nRemcos\r\n85c700ff566161c77a03f282fa48a246\r\n   \r\necdb2860af9ce2754d178c80e3303080\r\nQuasarRat\r\n7870a7c7e355d1fbf357c846d8bf2aea\r\n   \r\nfe84ead033bfeaee70f84d8733b51e08\r\nRedLine\r\n4023e57ffbc87aa93621a7c2a6f0b425\r\n   \r\nAppendix B\r\nMITRE ATT\u0026CK TTPs Matrix\r\nTechnique ID Name\r\nExecution\r\nT1059.003 Windows Command Shell\r\nT1059.006 Python\r\nPersistence T1547.009 Shortcut Modification\r\nhttps://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly\r\nPage 5 of 7\n\nT1547.001 Registry Run Keys / Startup Folder\r\nPrivilege Escalation\r\nT1548.002 Abuse Elevation Control: Bypass User Account Control\r\nT1055 Process Injection\r\nT1055.012 Process Hollowing\r\nDefense Evasion\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1112 Modify Registry\r\nT1027 Obfuscated Files or Information\r\nT1055 Process Injection\r\nT1055.002 Portable Executable Injection\r\nT1055.012 Process Hollowing\r\nT1127 Trusted Developer Utilities Proxy\r\nT1127.001 MSBuild\r\nT1497.001 System Checks\r\nT1218.005 Signed Binary Proxy Execution: Mshta\r\nCredential Access\r\nT1555 Credentials from Password Stores\r\nT1555.003 Credentials from Web Browsers\r\nT1539 Steal Web Session Cookie\r\nT1056 Input Capture\r\nT1056.001 Keylogging\r\nDiscovery\r\nT1087 Account Discovery\r\nT1083 File and Directory Discovery\r\nT1518 Software Discovery\r\nT1518.001 Security Software Discovery\r\nT1082 System Information Discovery\r\nT1614 System Location Discovery\r\nT1033 System Owner/User Discovery\r\nT1124 System Time Discovery\r\nCollection\r\nT1123 Audio Capture\r\nT1115 Clipboard Data\r\nT1113 Screen Capture\r\nT1125 Video Capture\r\nCommand and Control\r\nT1105 Ingress Tool Transfer\r\nT1090 Proxy\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nAppendix C\r\nZero Detection on VirusTotal\r\nZero Detection on VirusTotal\r\nZero Detection on VirusTotal\r\nhttps://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly\r\nPage 6 of 7\n\nIran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now\r\nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\r\nThe Iran Cyber Threat Machine Isn’t Slowing Down — Here’s What CISOs Need to Know Now\r\nSource: https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly\r\nhttps://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly\r\nPage 7 of 7\n\n https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly \nIran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now\nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\nThe Iran Cyber Threat Machine Isn’t Slowing Down-Here’s What CISOs Need to Know Now\nSource: https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly \n Page 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly" ], "report_names": [ "threat-actors-use-msbuild-to-deliver-rats-filelessly" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434103, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d09208e487c0519616363372d90c35fff8e81033.pdf", "text": "https://archive.orkl.eu/d09208e487c0519616363372d90c35fff8e81033.txt", "img": "https://archive.orkl.eu/d09208e487c0519616363372d90c35fff8e81033.jpg" } }