A new and concerning multi-stage Trojan has been identified targeting software developers using Microsoft Visual Studio. The malware directly infiltrates Visual Studio projects, effectively turning the development environment into a launchpad for software supply chain attacks. By compromising projects at the source code level, the Trojan can ensure that malicious code is compiled into the final, legitimate application. This allows the threat actor to distribute their malware through the trusted channel of the compromised software, reaching all of its end-users. This 'shift-left' attack highlights the increasing focus of adversaries on compromising the software development lifecycle itself.
The attack vector involves compromising a developer's workstation and modifying Visual Studio project files (.csproj or .vbproj). The Trojan is described as 'multi-stage', which suggests an initial, lightweight component is responsible for establishing a foothold and then downloading or unpacking a more functional, malicious payload. This payload then manipulates the build process.
By embedding itself in the project files, the malware achieves a high degree of stealth and persistence within the development environment. It's not just a malicious file sitting on disk; it's integrated into the very blueprint of the application being built. This is a classic example of T1195.002 - Compromise Software Supply Chain: Compromise Software Development Tools.
While specific technical details are still emerging, the attack likely involves modifying the MSBuild tasks within a project file. MSBuild is the build platform for Visual Studio, and project files are essentially XML scripts that define how code is compiled, linked, and packaged. An attacker could add a custom build task to:
<Target> with an <Exec> task to run a malicious command or script during the build process (T1059 - Command and Scripting Interpreter).Once the malicious code is part of the compiled application, it will be signed with the legitimate developer's code signing certificate, making it appear trustworthy to end-users and security products. This is a form of T1553.002 - Code Signing abuse.
The potential impact of this attack is extremely high. A single compromised developer or build server can lead to the distribution of a trojanized application to thousands or millions of users. This can lead to:
This type of attack is particularly dangerous because it bypasses many traditional security controls that focus on network-based attacks or scanning finished executables. The malware is 'born' inside a trusted environment and wrapped in a legitimate, signed application.
No specific file hashes, IP addresses, or C2 domains were mentioned in the source articles.
To hunt for this type of threat, security teams in development organizations should:
*.csproj, *.vbproj, Directory.Build.propscsc.exe, msbuild.exe<Exec Command=...>, <Target Name="BeforeBuild"><Exec> tasks that run suspicious commands.Version Control System (e.g., Git).csproj, etc.) for suspicious commands or targets. This is a form of D3-SFA - System File Analysis.M1048 - Application Isolation and Sandboxing.M1047 - Audit.Isolating build environments and restricting their network access can prevent malicious build tasks from exfiltrating data or downloading further payloads.
Although abused in this attack, code signing remains a crucial control. It should be combined with integrity checks and reproducible builds.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.