CYFIRMA Research
Cyber defenders, listen up! The CYFIRMA Research podcast has some juicy intel on the latest cyber threats that are lurking in the shadows. Tune in to this security briefing to stay on top of emerging threats and be ready to tackle digital risk like never before.
CYFIRMA Research
CYFIRMA Research: Operation PhantomCLR- Stealth Execution via AppDomain Hijacking and In-Memory .NET Abuse
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Operation PhantomCLR
Our latest research uncovers a highly sophisticated post-exploitation framework that represents a significant shift in modern attacker tradecraft. The campaign leverages .NET AppDomainManager hijacking to abuse a legitimate, digitally signed Intel binary (IAStorHelp.exe), transforming it into a stealthy execution container without modifying the original file.
This allows malicious code to execute within a trusted environment, effectively bypassing traditional EDR and antivirus defenses. The framework operates entirely in memory, combining advanced techniques, such as JIT-based shellcode execution, reflective DLL loading, and direct syscall usage, to evade detection while maintaining operational stealth.
Link to the Research Report: https://www.cyfirma.com/research/operation-phantomclr-stealth-execution-via-appdomain-hijacking-and-in-memory-net-abuse/
#ThreatIntelligence #MalwareAnalysis #CyberSecurity #APT #ThreatHunting #MemoryForensics #CYFIRMA #CYFIRMAResearch #ETLM #ExternalThreatLandscapeManagement
https://www.cyfirma.com/