Inside the Shadows: APT Tactics Using MSC Files, Grim Resource Injection, and AppDomain Hijacking
As the cyber threat landscape evolves, so do the tactics employed by advanced persistent threats (APTs). With the increasing disablement of macros in Microsoft Office, threat actors have adapted, turning to new methods for malware delivery over recent years. Since early 2022, there has been a noticeable shift away from traditional macro-based attacks toward techniques involving ISO files, HTML smuggling, LNK files, and CHM files. Among these methods, the use of Microsoft Common Console (MSC) files remains underexplored yet has emerged as a powerful tool for malware delivery and persistence in Windows environments. Although initially limited in use, MSC files began gaining significant traction among threat actors in early 2024. Kimsuky was one of the first groups to incorporate MSC files into its campaigns, leveraging various techniques to target victims. Recently, Kimsuky expanded its MSC-based attacks by using Zoom-themed lures, incorporating the legitimate Zoom application to add credibility and increase engagement. Following Kimsuky’s example, other APT groups- including Mustang Panda, Earth Baxia, APT32 and APT Bitter- have adopted MSC files as part of their initial infection strategies. Some of these APTs combine novel methods like Grim Resource Injection and AppDomain Manager Hijacking to enhance the efficacy and stealth of their attacks.
These attacks, which use legitimate Windows subsystems and tools to deliver malicious payloads, pose significant challenges for detection. Traditional enterprise security solutions often focus on identifying the aftermath of these techniques- such as the loading of malicious code into legitimate Windows processes- rather than the techniques themselves.
Current EDR tools generally provide limited visibility into the full attack chain and tend to rely on known malicious payload signatures or newer detection methods, such as stack-based similarity hashing, to detect frameworks like Sliver, Cobalt Strike, and Metasploit. This technical deep dive will explore how APT groups are exploiting the hidden capabilities of MSC files to conduct stealthy, sophisticated attacks.
We’ll provide a timeline of MSC file adoption by various threat actors and examine the structure of weaponized MSC files, focusing on advanced techniques like Grim Resource Injection and AppDomain Manager Hijacking, which enable malicious code execution in .NET environments. Recent campaigns demonstrate how APTs are increasingly using these novel techniques to expand their toolsets and evade modern security controls. We’ll also discuss detection challenges, showcase a demo of these methods in action, and highlight their implications for current detection mechanisms.
Hossein Jazi – Fortinet
Hossein Jazi is a Senior Threat Intelligence Specialist at Fortinet, where he plays a key role as an active researcher with expertise in APT tracking, malware analysis, cyber threat intelligence, and AI security. His work focuses on identifying and monitoring APT activities, as well as publishing in-depth analyses of their operations.
Hossein was the first to identify and name the Evasive Panda and Lazy Scripter threat actors, and he has authored more than 50 blogs profiling various cyber adversaries. His current initiatives include developing proactive techniques to track threat actors, collaborating with partners to create advanced research tools, and leading efforts to disrupt and dismantle cybercriminal operations.
With a master’s degree in computer science and over 15 years of experience specializing in cybersecurity and APT analysis, Hossein continues to push the boundaries of threat research to make the digital world more secure.
Douglas Santos – Fortinet
With more than two decades of experience in the cybersecurity field, I possess a unique blend of sales soft skills and deep technical acumen, making me a well-rounded individual who is at ease working in both technical and non-technical environments. My keen understanding of the cyber threat landscape allows me to communicate potential threats and vulnerabilities, as well as complex security issues and possible countermeasures, to any audience with ease.
Currently, my focus is on developing innovative ways to advance the state of the art in cyber threat intelligence, while managing a team of researchers and engineers. Our goal is to identify new attack vectors and develop proactive intelligence to protect against them. To help me achieve this mission, I am driving our partnership with MITRE CTID and participating in projects that are augmenting the state of the art when it comes to threat intelligence standards, tools, and response. We are also deploying these tools and standards across Fortinet’s products and systems.
My vast experience, technical expertise, and communication skills have enabled me to excel in the cybersecurity industry, and I look forward to continuing to drive innovation and progress in this field.