Recently there has been an attempt by hackers to trouble the security researchers. The search engine on searching for the debugger brings out options of dnspy possessed with trojans. The links for downloading dnspy have been reportedly removed but has not helped much.
According to Malwarehunter, the threat actors behind this not only put a seo’d version out there but also created a look alike website and GitHub repo. The trojanized version if runs it will in turn run millions of other malicious skidware commands and will drop cocktail malware on the researcher’s system.
These malicious commands run by “dnSpyPlus.exe” loaded in the memory. This is confused with “CarbonBlackEncrypt” which is similar to “ConfuserEx”.
The trojanized debugger will first run as expected, open .Net executables, decompile them and start the debugging process but simultaneously run commands to disable Microsoft Defender, download Curl.exe, disable UAC and download various payloads to the trash folder and download them.
So, if you search for dnspy in recent times without an ad blocker, you might end up downloading the modified version, the first result is an ad for https://www.dnspy[.]net/ . These are not only limited to Google search engines but Bing, Yahoo, Avol, Ask and others too.
For Researchers looking for the debugger, don’t search them online. Use the link provided in the Twitter link by Malwarehunter and avoid being affected.