Abuse of Intel-Signed Utility via AppDomain Hijacking for Malware Execution

Abuse of Intel-Signed Utility via AppDomain Hijacking for Malware Execution
You are here:

EXECUTIVE SUMMARY

Attackers are exploiting a trusted Intel-signed utility using AppDomain hijacking to execute stealthy malware and bypass security controls. The attack leverages phishing-based delivery, .NET runtime manipulation, and in-memory execution techniques to evade detection. Unlike traditional exploits, this technique does not rely on software vulnerabilities but instead abuses trusted application behavior, making detection through conventional security controls more challenging.


This campaign highlights the increasing abuse of legitimate, signed software to achieve stealthy and persistent system compromise.

  • Active Region: Global
  • Affected Sector: government and enterprise targets
  • Affected Product: .NET-based applications and environments leveraging trusted signed executables (e.g., Intel utilities such as IAStorHelp.exe)
  • Severity: High
  • Published Date: April 20, 2026

TECHNICAL DETAILS

  • Target: The attack specifically targets Intel-signed utilities operating within the .NET framework, focusing on the application startup process and the .NET Common Language Runtime (CLR), where execution flow can be influenced before the legitimate application logic begins.
  • Root Cause: The issue arises from the abuse of the .NET AppDomainManager mechanism, where a specially crafted configuration file (.exe.config) is placed alongside the legitimate executable. This forces the CLR to load a malicious DLL during initialization, effectively hijacking execution flow without modifying the trusted binary. This technique bypasses……

Download the Report

Date

Share

Previous Reports