<— Back

Shadows in Native Code: The Rise of AOT Compilation in Modern .NET Malware

The landscape of malware development is experiencing a significant shift as threat actors increasingly leverage Ahead of Time (AOT) compilation in .NET frameworks. Traditionally, .NET applications have been relatively straightforward to reverse engineer due to their intermediate language representation, which preserves substantial program structure and metadata. However, the growing adoption of AOT compilation—which transforms .NET code directly into native machine code—presents formidable new challenges for security researchers and malware analysts.

Our preliminary research indicates that approximately 75% of .NET AOT samples identified in the wild demonstrate malicious intent, suggesting this technique has been rapidly embraced by threat actors. AOT compilation effectively eliminates the Microsoft Intermediate Language (MSIL) layer, forcing analysts to work directly with assembly code and significantly complicating the reverse engineering process. This technique serves as an emerging obfuscation strategy that requires minimal effort from malware authors while providing substantial protection against analysis.

This paper examines the technical characteristics of AOT-compiled malware, presents methodologies for identification and analysis of these samples, and explores the development of specialized tools to recover function signatures and type information. We demonstrate how traditional .NET analysis techniques fail against AOT-compiled binaries and propose new approaches combining static and dynamic analysis to overcome these limitations. Furthermore, we discuss the security implications of Microsoft’s continued enhancement of AOT capabilities in newer .NET versions, which inadvertently provides malware authors with increasingly sophisticated evasion techniques.

As AOT compilation becomes more accessible with each .NET release, understanding its security implications becomes critical for maintaining effective malware detection and analysis capabilities in the evolving threat landscape.

Sarang Popat Sonawane – Crowdstrike

Sarang Sonawane currently holds the role of Security Researcher within CrowdStrike’s Malware Research Team, boasting 9+ years of experience with a primary focus on reverse engineering.

In recognition of his expertise, he has presented at security conferences, including BlackHat MEA and AVAR. He also loves playing CTF challenges and has successfully completed the Flare-On 9 and 11 security challenges.

Beyond his dedication to cybersecurity, Sarang thrives on intellectual challenges in the malware analysis domain. When not dissecting malicious code, he passionately engages in cricket matches and eagerly explores new destinations, satisfying his adventurous spirit.