John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Custom malware is risky. It can be found, reversed, attributed, and burned. So some attackers stopped using it.
MSBuild.exe is a legitimate Microsoft-signed binary. Ships with Windows. Supposed to compile code. Researchers at ASEC documented how attackers embed C# payloads directly in XML project files. MSBuild compiles and runs them entirely in memory. Nothing written to disk. No binary to hash. No file for antivirus to scan. And parent-process checks won’t help either, because MSBuild legitimately spawns child processes all the time.
SHADOW#REACTOR does the same thing differently. VBScript launches PowerShell, which delivers a payload disguised as plain text. Every stage looks like something Windows might normally do.
The part worth paying attention to: this isn’t one group’s trick. DesckVB RAT uses nearly identical execution. A separate WhatsApp-delivered VBS campaign documented by Microsoft Defender Experts runs the same chain. Multiple unrelated actors, independently converging on the same technique. That’s not a coincidence. It’s because it works.
What actually helps: restrict MSBuild execution outside developer environments, enable PowerShell Script Block Logging, block VBScript via policy, and invest in EDR with memory scanning. Signature-based tools won’t catch what never touches disk.