Malware Delivery via Image-Based Payload Hiding and Reused Steganographic Media
Security researchers reported multiple malware delivery chains that hide or embed executable payloads inside image files to evade detection. Veracode analyzed a malicious typosquatted NPM package, buildrunner-dev, that uses a postinstall hook to run init.js, which downloads an obfuscated batch script (packageloader.bat) from a Codeberg repository. The batch script ultimately retrieves PNG images hosted on a free image service and extracts hidden data from RGB pixel values (steganography), leading to a loader with process hollowing, encrypted payload handling, AMSI bypass, and per-AV evasion logic, culminating in deployment of the Pulsar .NET RAT.
Separately, SANS ISC documented a phishing/malspam-style infection chain starting from an Excel attachment exploiting CVE-2017-11882 (Equation Editor), which downloads an HTA that launches PowerShell to fetch a PNG (optimized_MSI.png) containing a Base64-encoded .NET payload delimited by BaseStart- and -BaseEnd tags. The handler noted reuse of the same image across campaigns, used VirusTotal similarity searches to identify many related samples, and produced a YARA rule to track the technique. Kaspersky’s write-up on Arkanix Stealer describes a MaaS stealer ecosystem (C++ and Python variants, ChromElevator usage, and broad credential/crypto theft) but does not center on image-based payload hiding, making it a separate topic from the image-steganography delivery chains described by Veracode and SANS ISC.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers link npm package chain to Pulsar RAT delivery
Analysis showed the steganographic PNGs delivered an AMSI-bypass PowerShell script and a GZip-compressed .NET loader that performed process hollowing, AMSI bypasses, and per-AV persistence logic. The loader then downloaded a third PNG, decrypted and decompressed it, and reflectively loaded the final payload: the open-source Pulsar RAT.
Malicious npm package 'buildrunner-dev' identified as Windows malware dropper
Veracode reported that the npm package "buildrunner-dev," a typosquat of abandoned "buildrunner" and "build-runner" packages, used a postinstall script to launch a multi-stage Windows malware chain. The package downloaded an obfuscated batch script, established persistence, used a fodhelper.exe UAC bypass, and retrieved steganographic PNGs from ImgBB to extract hidden payloads.
New campaign observed exploiting CVE-2017-11882 to deliver image-hidden malware
Researchers observed a campaign beginning with a malicious Excel attachment exploiting Microsoft Equation Editor flaw CVE-2017-11882 to fetch an HTA, which launched PowerShell to retrieve an image-hosted payload. The extracted final stage was a .NET binary, and associated infrastructure, hashes, and a YARA rule were identified to track related samples.
Related malware campaign uses image-hosted Base64 payloads
A prior malware campaign used a multi-stage infection chain in which the final .NET payload was hidden inside a JPEG/PNG image as Base64 data between "BaseStart-" and "-BaseEnd" markers. Researchers later noted the same image and embedding technique was reused in a newer campaign.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
A Malicious NPM Package Hides .NET Malware Inside Images
veracode.com
Open sourceTracking Malware Campaigns With Reused Material - SANS ISC
isc.sans.edu
Open sourceFrom Pixels to Payloads: Understanding Malicious PNG Files
reversethemalware.blogspot.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Vidar Infostealer Uses JPEG/TXT Payload Hiding and Fake Software Lures
Researchers reported that updated **Vidar** infostealer campaigns are using steganography, fileless execution, and social-engineering lures to evade detection and steal corporate and consumer data. Point Wild and Intrinsec found infections delivered through fake GitHub repositories, compromised WordPress sites showing **ClickFix**-style fake CAPTCHA prompts, gaming cheat posts on Reddit and Discord, and bogus software promoted in YouTube videos and hosted on services such as Mediafire. In one chain, a fake tool named **NeoHub** dropped a malicious DLL disguised as a Microsoft Edge component and signed with counterfeit certificates impersonating GitHub and grow.com. The malware uses VBScript, obfuscated PowerShell, a Go-based loader, and trusted Windows binaries including `WScript`, `PowerShell`, and `RegAsm.exe` to fetch apparently harmless JPEG and TXT files that contain hidden Base64-encoded second-stage payloads, then reconstructs and executes them entirely in memory through .NET reflective loading. Researchers said Vidar now operates as a **Malware-as-a-Service** offering, uses Telegram and Dead Drop Resolver techniques via public Steam profiles to locate command-and-control infrastructure, and exfiltrates credentials, cookies, payment data, cryptocurrency wallet files, and information from more than 200 browser extensions, often through Telegram and Cloudflare-fronted domains to mask attacker activity.
May 11, 2026
Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe **social-engineering-driven malware delivery** leading to remote access and follow-on payload deployment. Fortinet observed a **multi-stage phishing campaign targeting users in Russia** that delivers **Amnesia RAT** and ransomware via business-themed decoy documents and a malicious `.lnk` shortcut using a double extension (e.g., `*.txt.lnk`). The infection chain uses public cloud services for staging—**GitHub** for scripts and **Dropbox** for binary payloads—and abuses **defendnot** to trick Windows into believing a third-party AV is installed, effectively disabling **Microsoft Defender** before later-stage execution. Separately, Huntress attributed activity to **KongTuke**, which uses **malicious browser extensions** to display fake “browser crash” security alerts (“**CrashFix**”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed **ModeloRAT**. ModeloRAT is described as heavily obfuscated, using **Windows Registry** persistence and **RC4**-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights **Scarlet Goldfinch** activity using **paste-and-run** lures and a notable technique of using the Windows `finger` client to pull remote content (e.g., `finger user@IP | cmd`), followed by `curl` download of an archive masquerading as a PDF and extraction via `tar -xf`, culminating in **Remcos** (and sometimes **NetSupport**) delivered via **DLL sideloading**.
Mar 21, 2026
Malware Delivery via Deceptive Distribution and Evasion Techniques
Threat researchers reported multiple active campaigns focused on **stealthy malware delivery** by abusing trusted execution paths and deceptive distribution. Trellix described attackers using **DLL side-loading** against a legitimate, signed `ahost.exe` binary associated with the *c-ares* ecosystem (commonly seen with GitKraken Desktop) by placing a malicious `libcares-2.dll` alongside the executable to trigger search-order hijacking and execute attacker code. The activity was linked to delivery of commodity malware families including **Agent Tesla, Formbook, Remcos RAT, Quasar RAT, DCRat, XWorm, Vidar Stealer, Lumma Stealer, CryptBot**, and others, with targeting observed across business functions (finance, procurement, supply chain, administration) and lures in multiple languages, suggesting regionally focused operations. Separately, Malwarebytes documented a **fake RustDesk download site** (`rustdesk[.]work`) that installs legitimate RustDesk while silently deploying a persistent backdoor framework (**Winos4.0**) via a trojanized installer (e.g., `rustdesk-1.4.4-x86_64.exe`), relying on user deception rather than exploiting a software vulnerability. Sucuri detailed a WordPress compromise where attackers modified `index.php` to perform **selective content injection/SEO cloaking**, using IP-verified logic with hardcoded **Google ASN CIDR ranges** to serve malicious content to Googlebot while showing normal content to human visitors and site owners—an evasion technique that can facilitate downstream malware distribution while reducing the chance of detection.
Mar 21, 2026