"The paper introduces a new method that enables an attacker to change the
.NET language, and to hide malicious code inside its core.
It covers various ways to develop rootkits for the .NET framework, so
that every EXE/DLL that runs on a modified Framework will behave
differently than what it's supposed to do. Code reviews will not detect
backdoors installed inside the Framework since the payload is not in the
code itself, but rather it is inside the Framework implementation.
Writing Framework rootkits will enable the attacker to install a reverse
shell inside the framework, to steal valuable information, to fixate
encryption keys, disable security checks and to perform other nasty
things as described in this paper."