Cyber attackers are increasingly utilizing a technique known as Living Off the Land Binaries (LOLBins) to evade detection by security systems. By taking advantage of legitimate system tools, these malicious actors are able to circumvent signature-based defenses, thereby executing their attacks without the need for traditional malware files. This method not only enhances stealth but also complicates efforts to detect and neutralize threats.
A notable LOLBin that has recently attracted attention is MSBuild.exe, a native Windows development tool that is signed by Microsoft. Originally developed for building and executing C# code from XML-based project files, attackers have found ways to repurpose this tool in malintent, enabling them to execute arbitrary payloads directly from memory. This innovative technique results in stealthy, fileless intrusions that are difficult to trace back to conventional malware signatures.
The utilization of MSBuild offers attackers several significant advantages that bolster the effectiveness of their operations. First, they can embed malicious C# code directly into XML project files. This method allows for the execution of harmful code without the need to create independent executable files, effectively enabling entirely fileless payload deliveries. The absence of traditional malware files complicates detection efforts, as security systems have fewer indicators to flag.
Second, MSBuild’s capabilities extend far beyond simple code execution. It allows attackers full access to execution functionalities, including file handling, network communication, and even binary compilation. This flexibility facilitates a versatile approach to deploying multi-stage payloads, greatly enhancing an attacker’s ability to adapt to various scenarios or targets.
Finally, the fact that MSBuild bears a legitimate digital signature from Microsoft adds another layer of difficulty for cybersecurity measures. Because most endpoint solutions inherently trust activities associated with Microsoft-signed binaries, the usual signature-based detection mechanisms are rendered nearly ineffective against this attack vector. As a result, MSBuild’s invocation during an attack often goes unnoticed.
In early 2025, a security researcher, Michał Walkowski, shared a proof-of-concept demonstrating how MSBuild could bypass the defenses of Windows Defender on Windows 11. Using only two simple files—a C# source code file (designated as main.cs) and a project configuration file (main.csproj)—attackers were able to instruct MSBuild to compile and execute arbitrary shell code. When executed, MSBuild established a reverse TCP shell that connected the compromised system back to an attacker-controlled machine, all while skillfully avoiding alerts from the security software.
Tests conducted alongside this proof-of-concept confirmed that even with real-time protection features activated, no warnings or blocking responses occurred during execution. This stark reality can be attributed to the fact that the entire process chain consists purely of trusted components; thus, any behavioral anomalies go unnoticed by conventional detection rules.
By February 2026, Lab52 reported on a phishing campaign that misused MSBuild.exe to deliver PlugX malware. In this particular instance, attackers sent a ZIP file disguised as a meeting invitation. Upon the victim’s opening of this file, a renamed MSBuild executable and a malicious project file began the infection process. MSBuild automatically loaded the corresponding .csproj file, which included inline script logic that contacted servers controlled by the attackers. Following this communication, it downloaded encoded payloads and stored them under randomized names in the Windows temporary directory.
Once the harmful payloads were successfully downloaded, MSBuild executed a seemingly benign program that engaged in DLL sideloading. This process involved loading a malicious DLL residing in the same directory into memory, allowing the PlugX malware to execute confidentially within the targeted environment. The entire attack, featuring a combination of a trusted binary, MSBuild logic, and DLL injection, blended completely with standard Windows operations, thus evading detection by endpoint and antivirus solutions.
Given the sophistication of these types of attacks, defending against MSBuild-based exploitations necessitates context-aware monitoring that extends beyond conventional static signature checks. Implementing a robust defense strategy could include flagging MSBuild.exe executions that occur in non-development contexts or from abnormal directories. Security experts recommend correlating process chains that involve MSBuild spawning PowerShell or cmd.exe processes, as well as monitoring for project file launches occurring in temporary or download folders.
Furthermore, analyzing outbound connections established by MSBuild.exe and scrutinizing DLL sideloading involving non-standard modules can also serve as crucial layers of defense.
As MSBuild emerges as a potent LOLBin for fileless attack chains, its trusted status, inline scripting capabilities, and auto-loading features enable attackers to execute their strategies with a high degree of stealth and functionality. Consequently, the increasing trend of exploiting these techniques signifies an essential shift in how defenders must approach cybersecurity threats. Continuous vigilance, proactive threat hunting, and robust policy enforcement are crucial for safeguarding Windows environments from evolving challenges in the cybersecurity landscape.