Cyber attackers are increasingly using Living Off the Land Binaries (LOLBins) to bypass security detection. By leveraging legitimate system tools, these attacks avoid signature-based defenses and operate without dropping traditional malware files.
One such LOLBin now gaining attention is MSBuild.exe, a native Windows development tool signed by Microsoft.
Originally designed to build and run C# code from XML-based project files, it is being repurposed by attackers to execute arbitrary payloads directly from memory resulting in stealthy, fileless intrusions.
MSBuild offers attackers three major advantages.
First, malicious C# code can be embedded inline within XML project files and executed directly. That avoids creating standalone executable files, enabling completely fileless payload delivery.
Second, MSBuild provides full execution capabilities including file handling, network communication, and binary compilation allowing attackers to deploy multi-stage payloads flexibly.
Finally, it bears a legitimate Microsoft digital signature, meaning most endpoint solutions automatically treat its activity as trustworthy, making signature-based detection virtually ineffective.
Detection Evasion Technique Using MSBuild
A proof-of-concept shared by researcher Michał Walkowski in early 2025 demonstrated how MSBuild could bypass Windows Defender on Windows 11.
Using only two files a C# source code (main.cs) and a project configuration (main.csproj) attackers can instruct MSBuild to compile and run arbitrary shell code.
When invoked, MSBuild establishes a reverse TCP shell connecting the victim system to a remote attacker machine all while avoiding alerts from Defender.
Tests confirmed that even with real-time protection enabled, no warnings or blocks occurred during execution.
The reason is simple: the process chain consists entirely of trusted components, making behavioral anomalies invisible to conventional detection rules.
In February 2026, Lab52 reported a phishing campaign abusing MSBuild.exe to deliver PlugX malware.
The attack used an archive attachment masquerading as a meeting invitation. Inside the ZIP file, a renamed MSBuild executable and a malicious project file worked together to initiate the infection when the victim unknowingly opened it.
MSBuild automatically loaded the .csproj file from the same directory, which contained inline script logic that contacted attacker-controlled servers, downloaded encoded payloads, and stored them under randomized filenames in the Windows temporary directory.
After the downloads succeeded, MSBuild executed a seemingly legitimate program that performed DLL sideloading: a malicious DLL in the same path was loaded into memory, enabling PlugX to execute covertly.
This layered approach combining a signed binary, MSBuild logic, and DLL injection allowed the attack to blend completely with normal Windows behavior. Both endpoint and antivirus software perceived the execution chain as legitimate.
Mitigations
Defending against MSBuild-based attacks requires context-aware monitoring beyond static signature checks.
- Flag MSBuild.exe execution in non-development contexts or abnormal directories.
- Correlate process chains where MSBuild spawns PowerShell, cmd.exe, or unknown child processes.
- Detect project file launches (.csproj or .xml) within temporary or download folders.
- Analyze outbound connections from MSBuild.exe and DLL sideloading involving non-standard modules.
MSBuild has become a potent LOLBin for fileless attack chains. Its trusted status, inline scripting features, and auto-loading mechanisms grant attackers both stealth and functional versatility.
The growing exploitation trend highlights a crucial shift for defenders: monitoring behavioral context and inter-process relationships must now outweigh simple signature validation.
As LOLBin techniques evolve, proactive threat hunting and policy enforcement will remain essential to securing Windows environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
