2025-10-14 –, Main Track
Why have cybercriminals rely so heavily on .NET for malware development? This talk explores how .NET has quietly become one of the most abused languages or frameworks. With built-in support for dynamic compilation and in-memory execution, .NET offers attackers easy usage and flexibility for crafting modular, evasive malware. While existing .NET code is widely reused there is also a growing underground market of “Protector-as-a-Service” tools fueling the rapid adoption of .NET across cybercrime operations.
This talk dives into the internals of .NET from a malware analyst's perspective to later explore how protectors—far beyond simple packers—enable advanced evasion and anti-analysis techniques. We’ll show how this poses a unique challenge for sandboxes and automated pipelines, which fail to scale when facing threats that require deeper, context-aware analysis beyond basic runtime execution.
To ground this in the real world, we’ll analyze Roboski (also known as TicTacToe), a .NET bitmap-based loader that is simple, effective, and indeed everywhere. Despite being years old, it still sneaks under the radar and is widely reused in the wild, serving as a key delivery tool for next-stage payloads.
This talk will blend threat research with malware internals, sharing actionable techniques to improve detection and dive deep into what’s hiding inside today’s .NET malware.
Outline:
Introduction to the .Net malware landscape: widely known malware families, new trends observed in the wild, reused parts, commonalities, etc.
This part will explore the historic landscape, the current landscape and will include our collected statistics. Additionally, it will highlight how many malware have commonalities in the code since it is very easy to re-use..NET framework internals: Native PEs vs. .NET, CIL/MSIL, .NET Assembly, unmanaged code, .NET PE structure...
From the previous section, We will pivot on how easy it is to reuse code from other malware since it is very straight forward to decompile .NET malware. We will explain how .NET samples are executed and some technical characteristics of this framework and PEs.Techniques implemented to hide payloads in .NET samples: protectors vs. packers vs. obfuscators.
On this section we will explain the differences between these three terms which people commonly tend to confuse. They imply different layers of evasion and pose different challenges for the malware analysis.Roboski use case: how it works at deep level, different names, malaware families using roboski to delivertheir own payload.
Roboski is one of the most popular "wrappers"/loaders for .NET payloads and it is not widely talked about. We will expose its popularity and details of its implementation, relating its behaviour with the topics from the previous section.Detecting and defeating roboski and other evasion techniques found in .NET malware
After explainig the technical characteristics of .NET in general and in particular, we will wrap up with actionable techniques to improve detection against these .NET threats.
Takeaways:
- Understand the modern .NET PE malware landscape and attacker motivations
- Understand particularities of .NET the framework
- Learn how the different techniques cover payloads work and how they hide from automated detection
- Identify why automated and sandbox-based analysis often fails
- Get hands-on insights from the Roboski case study to aid detection and unpacking workflows
Target audience:
- Malware Analysts
- Threat Researchers
- SOC Analysts
- Detection Engineers
- Reverse Engineers
- Any technical audience with an interest in the evolving threat landscape
Malware analysis
Dani has had a passion for malware reverse engineering and threat intelligence research since college. He has worked as incident responder and threat intelligence research, but since the beginning of his career he has mainly focused on malware analysis for any role.
Currently, he combines threat research with malware analysis automation as threat research lead at OPSWAT's Metadefender Sandbox (also known as filescan.io). He loves chasing threat actors, tracking infection campaigns, and defeating the latest malware techniques in this never-ending whack-a-mole game against the threat actors.