This week, a threat actor created a GitHub repository with a compiled version of dnSpy that installs a cocktail of malware, including clipboard hijackers to steal cryptocurrency, the Quasar remote access trojan, a miner, and a variety of unknown payloads. This new campaign was discovered by security researchers 0day Enthusiast and MalwareHunterTeam who saw the malicious dnSpy project initially hosted at https://github[.]com/carbonblackz/dnSpy/ and then switching to https://github[.]com/isharpdev/dnSpy to appear more convincing. The threat actors also created a website at dnSpy[.]net that was nicely designed and professional-looking. At this time, both the website and the GitHub repository used to power this campaign have been shut down.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in