Nobody is safe from cyberattacks was once again proven by threat actors as they conducted a malware campaign against developers and researchers. The campaign disseminated a trojanized version of the dnSpy .NET app.

What is dnSpy?

dnSpy is a renowned debugger and .NET assembly editor utilized to debug, decompile, and alter .NET programs. This application is typically used while examining .NET software and malware. The software is not in active development anymore, however, the original source code and a new actively developed version are available on GitHub.

Malicious dnSpy and malware assortment

A threat actor made a GitHub repository containing a compiled dnSpy version that installs an assortment of malware. It includes clipboard hijackers to exfiltrate cryptocurrency, a miner, Quasar RAT, and other unknown payloads. They also designed a seemingly professional website at dnSpy[.]net and promoted it via a successful SEO campaign to get it listed on Google, Bing, Yahoo,, Yandex, and AOL.

Why this matters

Attacks on cybersecurity developers and researchers are not new and are increasing in intensity. In such attacks, the bad actors mostly aim to steal undisclosed bugs and source codes, as well as gain access to confidential networks. They need to be cautious of malicious clones of famous projects, which install malware on their devices.

The bottom line

Presently, both the GitHub repository and the associated website are shut down. However, the risk of possible clones for projects remains. This current campaign poses a grave risk as it deploys a variety of payloads that can have severe consequences for victims.

Cyware Publisher