From Malspam to Fileless .NET Loader

Description

A sophisticated malspam campaign delivers a multi-stage .NET loader through an elaborate chain beginning with HTML email attachments. The attack routes through legitimate Google DoubleClick infrastructure to evade detection, then deploys a dynamically personalized phishing kit that pulls victim company branding in real-time. The infection chain progresses through JavaScript, PowerShell, and multiple .NET components, executing primarily in-memory while actively patching AMSI and ETW to blind Windows telemetry. The loader performs extensive anti-analysis checks, terminates or reboots upon detecting sandboxes or debugging tools, and establishes persistence through registry keys and scheduled tasks disguised as NVIDIA components. It targets Microsoft-signed binaries like InstallUtil.exe and MSBuild.exe for process injection, maintains C2 communications over non-standard ports using AES-encrypted protobuf messages, and profiles victim systems including specific GPU enumeration potentially for cryptocurrency min...