MalwareHunterTeam specialists have uncovered a malicious version of the dnSpy debugger that installs hidden miners and Trojans on victims' computers.
dnSpy is commonly used by researchers and developers to adjust and decompile programs. The software is also popular with cybersecurity professionals who analyze .NET malware.
At the time of writing, the debugger is no longer supported by the original developers, but its source code is available on GitHub. There is also a development version that anyone can clone and modify. That is exactly what the hackers took advantage of.
The malicious version of dnSpy can download hidden miners, the Quasar Trojan, and software that modifies the clipboard and steals cryptocurrencies onto an infected device.
Cybercriminals even managed to create a special website to popularize their program (not available at the time of writing) and launched an advertising campaign in the search results of popular systems: Bing, Yahoo, AOL, and Ask.com.
So far, only a few anti-virus engines detect the malicious version of dnSpy.