Researchers at Howler Cell have discovered a new .NET AOT malware campaign that uses a clever scoring system to bypass security tools and steal your data.
Cybersecurity researchers at Howler Cell have discovered a new multi-layered malware campaign that uses a specific programming method called .NET Ahead-of-Time (AOT) compilation to make the malware nearly invisible to standard security tools.
For context, most modern software contains metadata (a digital map that helps security tools understand what a program is doing). This new AOT method strips that map away, turning the code into a black box, which forces experts to rely on manual, native-level tools to see what is actually happening under the hood.
A Complex Game of Digital Hide-and-Seek
The trouble usually starts with a suspicious link, likely spread through phishing emails. When a victim opens this ZIP file, they see several legitimate-looking modules that make the folder appear safe. However, the real threat is a file named KeyAuth.exe. When this downloader is active, it quietly fetches a second-stage file called bound_build.exe.
As researchers probed further, they realised that bound_build.exe is the main architect for the attack. It is responsible for XOR-decrypting and launching two additional threats. The first, Crypted_build.exe, retrieves a notorious infostealer known as Rhadamanthys, whereas the second, Miner.exe, eventually installs MicrosoftEdgeUpdater, which is a disguised loader for the XMRig cryptocurrency miner.
How the Malware Tests Your PC
What makes this threat stand out is how it evaluates a computer before it strikes. Researchers noted that the loader uses a clever scoring system to figure out if it is running on a real victim’s PC or a researcher’s sandbox machine. It checks things like your RAM, adding points if you have over 8GB, and your system uptime.
The malware even counts your files; if you have more than ten files in your Documents folder, it considers you a likely human target. Furthermore, it looks for common antivirus processes like WinDefend or Kaspersky. If the final score is below 5, the malware assumes it’s being watched and simply shuts itself down to avoid detection.
Cracking the Black Box
Despite these hurdles, the team at Howler Cell used a tool called Binary Ninja to break through the defences, the blog post reads. By creating a custom WARP signature, they could reconstruct the program’s inner workings. “WARP eliminated the need to manually inspect almost 4,000 library functions,” researchers noted. This process was a massive success, taking their visibility from less than 1% to over 85%.
The key takeaway from this campaign is that hackers are getting better at staying dormant to evade detection. To stay safe, you should never download ZIP files from untrusted links, and keeping your system updated remains your best defence against these growing threats.
