name: Masqueraded MSBuild Execution from Windows Startup Folder Analytic
signatureid: TELNYX2
category: 'Persistence'
threatname: 'Boot or Logon Autostart Execution: Startup Folder'
functionality: 'Endpoint Management Systems'
description: |
Detects execution of msbuild.exe from the Windows Startup folder, which is a persistence mechanism
used by the TeamPCP Telnyx supply chain malware. The legitimate Microsoft Build Engine (msbuild.exe)
resides in C:\Windows\Microsoft.NET\ and is never present in user Startup directories. The TeamPCP
malware extracts a PE binary from WAV audio steganography (hangup.wav) and writes it to
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe to achieve persistence across
reboots. The dropped binary is a MinGW-compiled x86_64 PE that performs process hollowing into
dllhost.exe. This rule also detects the companion lock file (msbuild.exe.lock) which the malware
creates with the hidden attribute to implement a 12-hour re-download cooldown.
reference:
- https://safedep.io/malicious-telnyx-pypi-compromise/
- https://www.stepsecurity.io/blog/teampcp-plants-wav-steganography-credential-stealer-in-telnyx-pypi-package
- https://www.ox.security/blog/telnyx-malware-teampcp-strikes-again-following-litellm-compromise/
labels:
- attack.persistence
- attack.defense_evasion
- attack.t1547.001
- attack.t1036.005
- TeamPCP
- Telnyx
- Supply Chain Attack
logsource:
category: process_creation
product: windows
detection:
selection_msbuild_startup:
Image|endswith: '\msbuild.exe'
Image|contains:
- '\Start Menu\Programs\Startup\'
- '\AppData\Roaming\Microsoft\Windows\Start Menu\'
selection_msbuild_spawn_dllhost:
ParentImage|endswith: '\msbuild.exe'
ParentImage|contains: '\Start Menu\Programs\Startup\'
Image|endswith: '\dllhost.exe'
selection_lock_file:
ChildProcessCommandLine|contains|all:
- 'attrib'
- '+h'
- 'msbuild.exe.lock'
condition: selection_msbuild_startup or selection_msbuild_spawn_dllhost or selection_lock_file
criticality: Critical
saveasthreat: true
violation_summary:
grouping_attribute: 'accountname'
level2_attribute: 'devicehostname'
level2_metadata_attributes:
TECHNICAL DETAILS:
TeamPCP Windows attack chain from hangup.wav:
1. Malicious telnyx package calls setup() on import
2. Downloads hangup.wav from hxxp://83[.]142[.]209[.]203:8080/hangup.wav
3. WAV steganography: base64 decode → XOR decrypt (key: ac9d62deea7bddb0) → PE binary
4. Writes PE to: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe
5. Creates hidden lock file: msbuild.exe.lock (12-hour cooldown via attrib +h)
6. Launches with CREATE_NO_WINDOW (0x08000000) — no visible console
7. PE loads embedded PNG steganography, extracts shellcode from RGB pixel data
8. Process hollowing into C:\Windows\System32\dllhost.exe
Extracted PE characteristics:
SHA256: a0a8857e8a65c05778cf6068ad4c05ec9b6808990ae1427e932d2989754c59a4
Compiler: GCC (GNU) 13/14-win32 (MinGW-w64)
Compile time: 2026-03-27 04:38:48 UTC
Subsystem: WINDOWS_GUI
9 sections, .data at 153KB/entropy 6.73 (embedded PNG stego)
Legitimate msbuild.exe locations:
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
- C:\Program Files\Microsoft Visual Studio\*\*\MSBuild\Current\Bin\MSBuild.exe
Any msbuild.exe in the Startup folder is definitively malicious.
False Positives: None expected. msbuild.exe in Startup is never legitimate.
Policy building walkthrough can be found in this previous post: