Why have cybercriminals rely so heavily on .NET for malware development? This talk explores how .NET has quietly become one of the most abused languages or frameworks. With built-in support for dynamic compilation and in-memory execution, .NET offers attackers easy usage and flexibility for crafting modular, evasive malware. While existing .NET code is widely reused there is also a growing underground market of “Protector-as-a-Service” tools fueling the rapid adoption of .NET across cybercrime operations.

This talk dives into the internals of .NET from a malware analyst's perspective to later explore how protectors—far beyond simple packers—enable advanced evasion and anti-analysis techniques. We’ll show how this poses a unique challenge for sandboxes and automated pipelines, which fail to scale when facing threats that require deeper, context-aware analysis beyond basic runtime execution.

To ground this in the real world, we’ll analyze Roboski (also known as TicTacToe), a .NET bitmap-based loader that is simple, effective, and indeed everywhere. Despite being years old, it still sneaks under the radar and is widely reused in the wild, serving as a key delivery tool for next-stage payloads.

This talk will blend threat research with malware internals, sharing actionable techniques to improve detection and dive deep into what’s hiding inside today’s .NET malware.