How attackers built a RAT on a Windows machine using its own .NET compiler

In May 2026 an attacker compromised a UK medical practice endpoint without delivering a single malicious file.

They used PowerShell and the .NET compiler built into Windows to build a Remcos remote access trojan on the machine itself, so signature antivirus had no known sample to match.

The thing that caught it was DNS filtering, spotting the malware call home.

If you run Windows endpoints, and most MSPs and IT teams run a lot of them, the question is whether your defences would have done the same. Here’s how the attack worked, and what would have stopped it sooner.

What actually happened over two days in May

The chain is easy to follow once you stop hunting for a downloaded file. Five steps, two days.

On 27 May the endpoint sent a DNS query to a domain it had never contacted before.

The query timed out.

That was likely the attacker’s first attempt to reach their command server.

Later that day, PowerShell connected to the same domain over an unusual port, and csc.exe, the .NET compiler, built the first staging payload right there on the machine.

On 28 May the loader landed. PowerShell and csc.exe wrote a file called e1yisbe2.dll into a Windows temp folder, and Remcos appeared in memory carrying the campaign ID Rmc-JI9GFC.

From then on it beaconed back to the attacker’s server over an encrypted channel, once a minute.

In MITRE ATT&CK terms that’s T1059.001 for the PowerShell and T1027.004, compile after delivery, for the csc.exe work.

T1127.001 covers MSBuild, which isn’t the binary that ran here. Legitimate tools – run in order – to build and launch something no scanner had on file.

The way in was probably a phishing file, opened by someone with access to the machine, but the report says “likely,” so we’ll say likely too.

And the report’s remediation notes recommend revoking remote access sessions, even though remote access tooling shows up nowhere in the actual sequence.

Why your antivirus had nothing to scan

Signature-based antivirus matches files against a list of known bad ones. 

This attack never handed it a known sample to match.

The compiler did write a loader to disk, but it built that loader fresh on the machine, at the moment of execution, after every scan that mattered had already passed. 

There was nothing on file to recognise.

MITRE files this under defence evasion and calls it Compile After Delivery.

Their own wording:

Source code “may subvert analysis and scrutiny from protections targeting executables/binaries,” and the technique “cannot be easily mitigated with preventive controls since it is based on the abuse of system features.”

CrowdStrike reported that 82% of the detections it saw in 2025 involved no malware file at all, up from 51% in 2020.

The tools were already on the machine

This attack used PowerShell to drive everything and csc.exe to compile the loader.

The report also lists msiexec as present on the box, though the timeline doesn’t show it running. Living off the land.

Back in 2020, Cisco Talos collected more than a hundred malicious build files that abused Microsoft’s .NET build tooling to run code in memory.

In 2026, Point Wild documented a Remcos campaign with a similar shape. 

PowerShell drove an in-memory .NET payload, though that campaign abused aspnet_compiler.exe rather than csc.exe and ran the payload through process hollowing.

ReliaQuest’s incident data ranks msiexec among the most abused of these binaries.

CISA and the UK’s NCSC spelled out the appeal in joint guidance in February 2024.

Living off the land works, they wrote, “with little to no investment in tooling by malicious cyber actors.”

Running as SYSTEM the whole time

First, someone had set PowerShell’s execution policy so unsigned scripts ran freely.

Plenty of admins treat that policy as a security control. It isn’t one, and Microsoft says so flat out.

The execution policy “isn’t a security system that restricts user actions,” because “users can easily bypass a policy.” The thing a lot of teams lean on did nothing here.

Second, nobody had set up application control. Nothing stopped csc.exe from compiling and running arbitrary code at runtime. The compiler did exactly what it’s built to do, for someone who had no business using it.

And on top of both, the endpoint ran as NT AUTHORITY\SYSTEM the entire time, the highest privilege level on a Windows machine.

That’s why one compromised endpoint could quietly turn into a surveillance device, logging keystrokes and capturing the screen and the microphone.

Lower the privilege and you shrink the incident. Here it was as high as it goes.

Where the attack broke

On-host prevention against a chain like this is genuinely hard.

Legitimate tools doing legitimate things in an illegitimate order. By the time Remcos reached memory, the attacker had already stepped around the local defences.

But the attack had one move it couldn’t skip.

A remote access trojan is useless to its operator unless it can phone home. 

This one had to reach a command server on the internet to take orders and send back what it collected. That call home is the part the attacker can’t hide.

And that’s where this one broke.

DarkLayer Guard sat at the DNS layer and blocked the recurring queries to the attacker’s domain, every minute, coming from PowerShell.

A minute-by-minute beacon is exactly the pattern DNS filtering catches.

Let’s be straight about what that did and didn’t do, though. DNS filtering didn’t stop the initial execution.

The endpoint was still compromised, and it still needed isolating and reimaging.

What it did was cut the control channel and surface the activity. That’s the difference between an incident you contain and one you discover months later.

When prevention is hard, the layer that catches the thing an attacker can’t avoid doing is the layer that saves you.

This is a pattern, not a one-off

It would be comfortable to file this under bad luck and move on. The data won’t let you.

Attacks that live off the land take longer to find, and the dwell-time numbers show it.

Mandiant put the global median dwell time at 11 days for 2024 and 14 days for 2025, and tied part of that rise to attackers who mimic normal admin behaviour and clean up their artefacts.

The longer an intruder reads as a sysadmin, the longer they stay. Other research found that most attacker activity gets logged but never alerted on, so the evidence often sits in the logs while nobody’s told to look.

A word on Remcos itself, because accuracy matters.

It’s a commodity tool.

A company called Breaking Security sells it, MITRE tracks it as S0332, and CISA named it in its 2021 list of top malware strains.

Plenty of unrelated criminal groups use it, which is exactly why we won’t pin this incident on a named actor.

The tool tells you the capability. It doesn’t tell you the culprit.

What this would have cost a UK practice

Translate this into the language a practice and its regulator actually speak, and the stakes get concrete. In proportion, though, not in panic.

A medical practice holds health data, and UK GDPR treats that as a special category with extra protection.

The law wants “appropriate technical and organisational measures” around it, and you have to report a qualifying breach to the Information Commissioner’s Office within 72 hours.

NHS-linked practices also owe an annual return through the Data Security and Protection Toolkit.

For a sense of how the regulator thinks about weak controls, look at the £3.07m fine the ICO handed Advanced Computer Software Group in March 2025.

A ransomware attack reached its health and care data through an account with no multifactor authentication.

The ICO’s finding was about inadequate measures, the gaps in MFA, vulnerability scanning, and patching.

That said, Advanced is a large data processor, and a single medical practice is not.

A micro practice realistically faces an investigation, a reprimand, an order to fix the gaps, and reputational damage – not a seven-figure penalty.

But the regulator uses the same framing either way, inadequate technical and organisational measures.

That’s the part to take, not the headline number.

We’ll skip the usual scare stats. For grounded UK figures, see the government’s Cyber Security Breaches Survey, latest edition.

No need to import American enterprise breach costs or the long-debunked line that most small firms fold within six months.

The five controls that would have broken the chain

No single control beats this, and anyone selling you one is overselling. What works is layers, each aimed at a step in the chain.

Here’s the honest mapping, including where each layer stops.

Application control, through Windows Defender Application Control or AppLocker, stops csc.exe compiling and running unsigned code in the first place.

That breaks the chain at the compile step, before there’s a loader at all. The NCSC, like Microsoft, recommends running AppLocker and WDAC together. 

The cost is configuration effort, not a licence.

Constrained Language Mode engages automatically once you enforce application control, and it blocks the API calls in-memory loaders depend on.

It would have starved this loader of the functions it needed. Script block logging would have shown you what PowerShell actually ran. 

AMSI goes further, it lets your antivirus inspect script content as it runs and can block it, though a capable loader can try to bypass it.

Either way, you’d have seen the activity instead of finding it weeks later.

Least privilege, and dropping the habit of running endpoints as SYSTEM by default, wouldn’t have stopped the foothold. It would have shrunk it.

No SYSTEM, no clear path to taking over the whole machine.

DNS filtering is the backstop. When prevention misses, it catches the beacon.

Not a hypothetical here. It’s what contained this incident.

What to check on your estate this week

This isn’t a summary. It’s a short list you can run on Monday.

• Check whether PowerShell’s execution policy is the only thing between your machines and arbitrary scripts, because if it is, nothing is.
• Check whether you enforce application control anywhere in your estate, or nowhere.
• Count how many endpoints run as SYSTEM by default.
• Confirm DNS filtering is switched on, and that someone actually reads what it blocks.
• Check whether the thing you call antivirus is real endpoint detection and response, or still just a library of mugshots.

The deeper shift is one of attention.

Most endpoint defence still watches the front door for files arriving. This attack never delivered one.

The attacker assembled the capability from tools already present. The only thing that crossed the wire was a quiet call home – once a minute – to a server that should never have been getting calls at all.

Stop watching only the front door.

Start watching what’s already inside, and what’s trying to get out.

Danny Mitchell

Head of Content at Heimdal. A journalist by trade who cares about helping MSPs and security teams make better decisions, enjoy their work, and see real results.