Threat Research

Operation PhantomCLR : Stealth Execution via AppDomain Hijacking and In-Memory .NET Abuse

Cyfirma
Operation PhantomCLR : Stealth Execution via AppDomain Hijacking and In-Memory .NET Abuse
CYFIRMA analyzed a sophisticated multi-stage post-exploitation framework that hijacks the .NET AppDomainManager to execute malicious code inside a legitimately signed Intel utility (IAStorHelp.exe), combining JIT-based shellcode, reflective loading, direct syscalls, and CDN-based domain fronting to evade detection. The campaign targets Middle East and EMEA financial organizations with strong sandbox-evasion, encrypted payloads, heap-based resilience, and anti-forensic memory teardown enabling stealthy C2 via Amazon CloudFront. #IAStorHelp #AppDomainManager

Keypoints

  • Attackers abuse a legitimately signed Intel binary (IAStorHelp.exe) via a co-located IAStorHelp.exe.config to hijack the .NET AppDomainManager and run unsigned malicious code without modifying the host binary.
  • Multi-stage chain delivered by spear-phishing ZIP archive: .pdf.lnk trigger, signed host binary proxy execution, malicious .config and .NET DLL, AES-encrypted payload (setting.yml), and decoy PDF.
  • Robust sandbox evasion combining a 60-second prime-sieve timing gate and a constrained SHA-256-based AES key derivation loop (0..892,007) to exhaust automated analysis windows before payload activation.
  • In-memory stealth execution via JIT trampoline (DefineDynamicAssembly → overwrite JIT’d memory with shellcode), reflective DLL loading with per-section protections, and PEB-based zero-API resolution to bypass hooks.
  • Command-and-control uses HTTPS domain fronting through Amazon CloudFront and backend ELB infrastructure (dp8519iqiftub[.]cloudfront[.]net → dunamis-ethos…elb[.]amazonaws[.]com), complicating network blocking without TLS inspection.
  • Advanced anti-forensics: DLL injection storm to create noisy benign-looking activity, heap-walking context recovery for resilience, and two-phase memory teardown (NtProtectVirtualMemory → NtFreeVirtualMemory) to remove in-memory artifacts.

MITRE Techniques

  • [T1566.001 ] Phishing: Spearphishing Attachment – Initial delivery via a malicious ZIP containing all components. Quote relevant content: ‘spear-phishing delivery via a malicious ZIP archive containing all required components.’
  • [T1204.002 ] User Execution: Malicious File – Execution depends on user double-clicking a disguised .pdf.lnk shortcut. Quote relevant content: ‘the user executes a disguised .pdf.lnk file, triggering trusted binary proxy execution.’
  • [T1106 ] Native API – Use of direct syscall stubs through NTDLL to bypass userland API monitoring. Quote relevant content: ‘Direct syscall usage through NTDLL bypasses userland API monitoring.’
  • [T1129 ] Shared Modules – Loading many DLLs via randomized LoadLibrary calls to generate benign-looking activity. Quote relevant content: ‘DLL injection storm generates high-volume benign-looking API activity.’
  • [T1574.014 ] Hijack Execution Flow: AppDomainManager – Abuse of .exe.config to override CLR initialization and load attacker code first. Quote relevant content: ‘a poisoned config file that instructs the .NET runtime to load attacker-controlled code during the application’s initialization.’
  • [T1036.005 ] Masquerading: Match Legitimate Resource Name or Location – LNK icon and DLL metadata spoofing to mimic legitimate resources. Quote relevant content: ‘LNK uses Edge PDF icon; DLL spoofs Intel.’
  • [T1218 ] System Binary Proxy Execution – Using signed IAStorHelp.exe as a trusted execution proxy for malicious code. Quote relevant content: ‘signed IAStorHelp.exe as execution proxy.’
  • [T1027.002 ] Obfuscated Files or Information: Software Packing – Encrypted and compressed payload blob (AES-encrypted + GZip-compressed) to hide contents. Quote relevant content: ‘AES-encrypted + GZip-compressed payload.’
  • [T1027.009 ] Obfuscated Files or Information: Embedded Payloads – Numerous scrambled API name constructions and embedded payloads to avoid static detection. Quote relevant content: ’27 API names via scrambled stack strings.’
  • [T1027 ] Obfuscated Files or Information – General use of XOR de-obfuscation, junk classes, and string obfuscation to dilute analysis. Quote relevant content: ‘XOR de-obfuscation; 36 junk classes.’
  • [T1140 ] Deobfuscate/Decode Files or Information – Runtime AES key derivation loop and XOR-based string de-obfuscation used to reveal payload and strings only at runtime. Quote relevant content: ‘Runtime AES key derivation loop combined with XOR-based string de-obfuscation.’
  • [T1620 ] Reflective Code Loading – Custom reflective DLL loader maps modules in-memory and applies per-section protections. Quote relevant content: ‘Custom reflective DLL loader.’
  • [T1070 ] Indicator Removal on Host – Memory and buffer wiping of PE headers and buffers to remove forensic traces. Quote relevant content: ‘PE headers wiped; buffers zeroed.’
  • [T1562.001 ] Impair Defenses: Disable or Modify Tools – Bypass of EDR hooks by using direct NTDLL syscalls to evade monitoring. Quote relevant content: ‘Bypasses EDR hooks via direct NTDLL.’
  • [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – 60-second prime-sieve computational gate to exhaust sandbox analysis time. Quote relevant content: ’60-second prime sieve timing gate.’
  • [T1480 ] Execution Guardrails – File size and other guards to prevent execution when artifacts are tampered or in incorrect environments. Quote relevant content: ‘File size validation (0x3AAC6C)’.
  • [T1055.003 ] Process Injection: Thread Execution Hijacking – JIT trampoline via DefineDynamicAssembly used to execute shellcode in-thread without typical allocation APIs. Quote relevant content: ‘JIT trampoline via DefineDynamicAssembly.’
  • [T1082 ] System Information Discovery – Runtime checks for system environment such as processor/locale to guide execution. Quote relevant content: ‘Registry processor/locale interrogation.’
  • [T1057 ] Process Discovery – Enumerating process modules and threads to validate environment and injected modules. Quote relevant content: ‘Thread enumeration; Process.Modules scan.’
  • [T1055.001 ] Process Injection: Dynamic-link Library Injection – Reflective DLL injection used to map payloads into the host process. Quote relevant content: ‘Reflective DLL injection.’
  • [T1071.001 ] Command and Control: Application Layer Protocol – HTTPS/TLS used for C2 beaconing and POST-based communications. Quote relevant content: ‘HTTPS/TLS C2 over CloudFront.’
  • [T1090.004 ] Proxy: Domain Fronting – C2 concealed through Amazon CloudFront CDN fronting to obscure true backend infrastructure. Quote relevant content: ‘C2 via cloudfront.net CDN.’

Indicators of Compromise

  • [SHA-256 ] Malware binaries/hashes observed – f2266b45d60f5443c5c9304b5f0246348ad82ca4f63c7554c46642311e3f8b83, 4f353b9634509a5e1456e54ccb4ce64c1e6d95094df96048ef79b30cc2fda6cb, and 2 more hashes
  • [Domain ] C2/CDN infrastructure – dp8519iqiftub[.]cloudfront[.]net, dunamis-ethos508-prod-va6-856defacfb833db1[.]elb[.]us-east-1[.]amazonaws[.]com
  • [File Name ] Delivered artifact filenames in ZIP lure – IAStorHelp.exe, IAStorHelp.exe.config, IAStorHelpMosquitoproof.dll, and other components such as setting.yml and ‘Work From Home Policy Update.pdf.lnk’
  • [File Name ] Decoy/document indicators – professionally crafted Arabic decoy PDF referencing MOF-WFH-2026-28673 used as social-engineering lure

Read more: https://www.cyfirma.com/research/operation-phantomclr-stealth-execution-via-appdomain-hijacking-and-in-memory-net-abuse/