The Department of Information and Communications Technology (DICT) – Cybersecurity Bureau – CERT-PH has recently observed malicious activities targeting various government agencies, leveraging the Microsoft Build Engine (MSBuild) tool. This advisory provides guidelines on detecting, removing, and mitigating threats posed by the misuse of MSBuild.
What is MSBuild?


Microsoft Build Engine (MSBuild) is a tool used by developers to build applications. It is a part of the .NET Framework and is used to automate the process of compiling and deploying code. MSBuild executes a set of instructions defined in XML-based files known as project files, which specify how to compile and link code, manage dependencies, and package the final product. It is a legitimate and widely used tool in software development environments. However, it has been increasingly exploited by malicious actors to execute harmful code or payloads in the background without the user’s knowledge.

  1. How to Detect If You Are Already a Victim
    • Check for Suspicious Processes
      • Open your Task Manager and look for any unexpected or suspicious processes or scheduled tasks running under MSBuild.exe. Anomalies may include excessive memory or CPU usage.
      • Inspect Event Logs
        • Review your Windows Event Viewer for any unusual activities associated with MSBuild.exe, such as frequent application launches without a valid reason or attempts to connect to unfamiliar external servers.
      • Monitor Network Traffic
        • Use network monitoring tools to identify any unauthorized outbound connections originating from your system, particularly if MSBuild is communicating with unknown IP addresses.
      • Scan for Indicators of Compromise (IoCs)
        • Use up to date endpoint detection tools to scan for known IoCs linked to attacks exploiting MSBuild.
  2. How to Remove Malicious MSBuild Activities
    • Terminate the Malicious Process
      • If you identify suspicious instances of MSBuild.exe, immediately kill these processes.
    • Uninstall Suspicious MSBuild Projects
      • Check your system for unauthorized MSBuild projects that may have been added maliciously. Navigate to the directory where MSBuild projects are typically stored (e.g., “C:\Program Files (x86)\MSBuild”) and remove any suspicious files or configurations.
    • Use Trusted Security Software
      • Run a full system scan using reputable endpoint detection tools. Make sure your security software is up-to-date to detect and remove the latest threats.
    • Restore from a Clean Backup
      • If possible, restore your system from a backup created before the infection. Ensure the backup is not compromised.
  3. How to Mitigate Future Threats
    • Restrict MSBuild Access
      • Limit the execution of MSBuild to trusted developers and authorized personnel. Implement strict user privileges and ensure only necessary accounts have access to build tools.
    • Implement Application Whitelisting
      • Use application whitelisting to prevent unauthorized execution of MSBuild or other potentially dangerous executables.
    • Monitor and Audit System Activities
      • Continuously monitor system activities, focusing on MSBuild usage and any file access patterns that deviate from the norm. Audit logs regularly for signs of suspicious behavior.
    • Apply Security Updates
      • Keep all software, including the .NET Framework and Visual Studio, up-to-date with the latest security patches to reduce vulnerabilities that attackers may exploit.
    • Conduct Security Awareness Training
      • Educate your staff about the risks associated with executing unknown scripts or build configurations. Ensure awareness of phishing and other social engineering tactics that attackers may use to gain initial access.

Indicators of Compromise (IOCs)

*Additional IOCs will be supplied as new proof-of-concept instances are discovered

SHA256 (source:HivePro)

  • b4db8e598741193ea9e04c2111d0c15ba79b2fa098efc3680a63ef457e60dbd9
  • 6829ab9c4c8a9a0212740f46bf93b1cbe5d4256fb4ff66d65a3a6eb6c55758a1
  • c2618fb013135485f9f9aa27983df3371dfdcb7beecde86d02cee0c258d5ed7f
  • 8c97df4ca1a5995e22c2c4887bea2945269d6f5f158def98d5ebdd5311bb20c4
  • cac4d4364d20fa343bf681f6544b31995a57d8f69ee606c4675db60be5ae8775
  • 76629afb86bd9024c3ea6759eeea197ba6c8c780e0041d1f8182d206cf3bd1b4

Government agencies are encouraged to coordinate with the DICT for assistance, including scanning their systems to detect and address potential exploits related to MSBuild.


Meanwhile, CERT-PH remains committed to safeguarding national cybersecurity and encourages the public to report any suspicious cyber activity. If you believe you have been affected by an information stealer or any other cybersecurity incident, please contact CERT-PH immediately at [email protected] for assistance.


Stay vigilant, stay secure.