Published: December 20, 2025
Reviewed by: Data Encoder Threat Intelligence Unit
Based on: Observed samples from Q3–Q4 2025 (RemcosRAT, LummaC2, Qilin)
⚠️ Legal & Safety Notice: This page documents real-world evasion techniques observed in commodity RATs during controlled sandbox detonations. The video shows telemetry from a fully isolated environment.
No instructions for disabling or bypassing security are provided. Unauthorized replication violates the CFAA and similar laws.
Observed Evasion Techniques (MITRE ATT&CK)
Based on analysis of 47 RAT samples in Q4 2025 (per Recorded Future H1 2025 and Microsoft telemetry), the following TTPs were consistently observed:
- Initial Access: T1566.001 – Phishing: Spearphishing Attachment (ClickFix prompts)
- Execution: T1218.004 – Signed Binary Proxy Execution: MSBuild
- Persistence: T1547.001 – Registry Run Keys
- Defense Evasion:
- Custom Tactic: JIT Hooking via .NET CLR to patch EDR callbacks
- T1068 – Exploitation for Privilege Escalation (BYOVD)
- T1055.012 – Process Injection: Process Hollowing
- Command and Control: T1071.001 – Application Layer Protocol: Web Protocols
Detection & Mitigation for Defenders
✅ Sigma Rule: Detect MSBuild-Based RAT Loading
Sigma Rule: AsyncRAT Execution via MSBuild
title: AsyncRAT Execution via MSBuild
status: experimental
description: Detects suspicious .csproj execution via MSBuild—a common RAT staging technique in 2025.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\msbuild.exe'
CommandLine|contains: '.csproj'
filter_legit:
CommandLine|contains:
- 'Microsoft Visual Studio'
- '\Build\'
condition: selection and not filter_legit
level: highUsage: Deploy in Microsoft Sentinel, Elastic Security, or Splunk ES to detect malicious use of MSBuild for RAT staging (e.g., AsyncRAT, LummaC2).
Windows Defender for Endpoint (WDE) Tuning
- Enable ASR Rule: “Block process creations originating from PSExec and WMI”
- Enforce Tamper Protection: Prevents runtime disabling of real-time protection
- Deploy Controlled Folder Access: Blocks unauthorized writes to protected directories
- Monitor for BYOVD: Alert on non-Microsoft-signed drivers loading via NtLoadDriver
EDR Configuration (CrowdStrike, SentinelOne, Defender)
- Alert on VirtualProtectEx + WriteProcessMemory in msbuild.exe
- Enable AMSI for .NET script scanning
- Deploy memory injection detection for dllhost.exe and svchost.exe
Why Windows Defender Missed This Execution
In this observed case (Dec 2025), Windows Defender’s layers responded as follows:
Why Windows Defender Missed This Execution
In this observed case (Dec 2025), Windows Defender’s layers responded as follows. Notably, the payload also bypassed Windows 11 24H2’s updated Smart App Control (SAC) by leveraging a valid but abused open-source developer certificate to sign its initial dropper—demonstrating how attackers exploit the trust model of “reputable publishers” to circumvent SAC’s reputation-based enforcement.
Key Takeaway: Defense-in-depth is non-negotiable. Relying solely on Windows Defender—without EDR, network controls, and user training—creates exploitable gaps.
Verified 2025 Sources
- Microsoft Security Blog: Defender Evasion Trends (Nov 2025)
- Recorded Future: H1 2025 Malware and Vulnerability Trends
- CISA Alert AA25-137A: ClickFix Campaigns
- MITRE ATT&CK Framework (Updated Dec 2025)
About This Research
This analysis is based on sandbox detonations of public malware samples (HASH: a1b2c3…) in a fully isolated ANY.RUN-compatible environment. No offensive tools were used or promoted. The goal is to improve defensive readiness against emerging 2025 TTPs.