A malware campaign distributing a malicious variant of the dnSpy app was wreaking havoc last week targeting developers and cybersec researchers. The threat actors’ goal was to perform crypto stealers, RATs, and miners’ installation.
Last week, a GitHub repository containing a dnSpy variant that deploys a malware cocktail was created by a threat actor. The malware range consisted of clipboard hijackers, a Quasar RAT, various payloads, and a miner. The clipboard hijackers served for cryptocurrency stealing purposes.
According to the BleepingComputer publication, MalwareHunterTeam together with 0day enthusiast discovered this malicious campaign. The researchers noticed the dnSpy project initially on https://github[.]com/carbonblackz/dnSpy/. Then it was moved to https://github[.]com/isharpdev/dnSpy.
Below there is a representation of the malicious dnSpy GitHub repository:
At dnSpy[.]net the hackers also built a website showing a likable design. It is reported that the site is not on anymore.
The website promotion followed steps like SEO optimization to make ednSpy[.]net rank first on Google. Other browsers like Bing, Yahoo, AOL, Yandex, and Ask.com had this domain listen on them too.
The threat actors thought of a backup plan too, as the SEO strategy was enforced with SEO ads to make the Google ranking successful.
It seems that, during