All news with #.net tag

New Airstalk Malware Abuses AirWatch for Covert C2

🛡️ We have discovered a new Windows-based malware family named Airstalk that abuses the AirWatch (Workspace ONE UEM) API to establish a covert command-and-control channel and exfiltrate browser artifacts. Two variants were observed: a PowerShell variant focused on Chrome cookie and bookmark theft, and a more advanced .NET variant that adds multi-threaded C2, beaconing, versioning, and support for Microsoft Edge and Island Browser. Several .NET samples were signed with a likely stolen certificate that was revoked shortly after issuance. Unit 42 assesses with medium confidence that a suspected nation-state actor used Airstalk in a likely supply chain compromise and provides IoCs and mitigation guidance.

Phantom Taurus: NET-STAR .NET IIS Backdoor Revealed

🔍 Unit 42 documents a newly designated Chinese-aligned threat actor, Phantom Taurus, which uses a previously undocumented .NET malware suite called NET-STAR to target IIS web servers. The actor focuses on government and telecommunications organizations across the Middle East, Africa and Asia and has shifted from email theft to direct database exfiltration. The report outlines technical behaviors, in-memory fileless execution, and mitigation guidance for Palo Alto Networks protections.

Operation Rewrite: BadIIS SEO Poisoning Campaign in Asia

🔍 Unit 42 uncovered Operation Rewrite, a March 2025 SEO poisoning campaign that deploys a native IIS implant called BadIIS to manipulate search engine indexing and redirect users to attacker-controlled scam sites. The implant registers request handlers, inspects User‑Agent and Referer headers, and proxies malicious content from remote C2 servers. Variants include lightweight ASP.NET page handlers, a managed .NET IIS module, and an all-in-one PHP front controller. Organizations can detect and block activity with Palo Alto Networks protections and should engage incident responders if compromised.

Microsoft .NET Bounty Program Raises Awards to $40,000

🔒 Microsoft has expanded the .NET Bounty Program, increasing maximum awards to $40,000 and broadening coverage to include all supported .NET and ASP.NET versions, adjacent technologies like F#, templates, and GitHub Actions. The program simplifies award tiers, aligns impact categories with other Microsoft bounty programs, and defines report quality as complete (working exploit) or not complete, encouraging detailed, actionable submissions.

Microsoft .NET Bounty Program Increases Awards to $40,000

🛡️ Microsoft has updated the .NET Bounty Program, expanding scope and increasing maximum payouts to $40,000 for high-impact vulnerabilities. The program now covers all supported versions of .NET and ASP.NET (including Blazor and F#), repository templates, and GitHub Actions in .NET repositories. Awards are now tied to explicit severity and report quality criteria, with higher payments for complete, exploit-backed reports.