GhostPulse IDAT Steganography Delivers DeerStealer and Rhadamanthys via DLL Sideloading
Breakglass Intelligence reported two malware delivery chains using GhostPulse to hide infostealer payloads inside fake PNG IDAT chunks and execute them through DLL sideloading with legitimate software. In one case, a 12.6 MB MSI installer dropped files into %LOCALAPPDATA%\Coz\ and abused the EV-signed iMyFone Feedback binary Utils.exe by replacing Qt5Network.dll with a trojanized loader that parsed 752 headerless IDAT chunks from concealed files to recover a DeerStealer payload and encrypted configuration. DeerStealer was described as a malware-as-a-service offering with tiers from $200 to $3,000 per month, supporting credential theft, browser and wallet targeting, hidden VNC, keylogging, clipper functions, and SmartScreen bypass.
A second intrusion chain tied to the broader ShadowLadder campaign used a trojanized KMS activator distributed through a piracy-themed site and Box.com to install files under %LocalAppData%\Eyalet\, launch a legitimate Zoner Photo Studio binary, and sideload a malicious sciter32.dll that extracted encrypted content from local files using 238 fake IDAT chunks before deploying Rhadamanthys. Researchers linked ShadowLadder to at least 35 samples used to spread multiple malware families, including Rhadamanthys, HijackLoader, ACRStealer, DeerStealer, and PeakLight, and identified infrastructure overlaps, Cloudflare-hosted domains, and OPSEC failures that point with medium confidence to a South Asian, possibly Indian, operator.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Breakglass publishes AgentTesla process-hollowing analysis
On March 12, 2026, Breakglass released a technical report on the observed AgentTesla campaign, detailing its JScript-to-PowerShell-to-.NET infection chain, persistence mechanisms, process hollowing, and SMTP exfiltration setup. The report assessed the operator as likely financially motivated and moderately sophisticated.
Breakglass publishes ShadowLadder and Rhadamanthys steganography findings
On March 12, 2026, Breakglass published analysis of a trojanized KMS activator MSI delivering Rhadamanthys through a GhostPulse-style IDAT steganography chain and DLL sideloading. The report also tied the sample to the longer-running ShadowLadder campaign and described infrastructure and attribution clues.
Breakglass publishes technical analysis of GhostPulse DeerStealer delivery
On March 12, 2026, Breakglass published analysis of a GhostPulse loader that used DLL sideloading through an EV-signed iMyFone binary and concealed DeerStealer in 752 headerless IDAT chunks. The report documented the technique shift away from normal PNG-header-based steganography and shared hashes, infrastructure indicators, ATT&CK mappings, and defensive guidance.
AgentTesla multi-stage phishing chain is first observed
A four-stage AgentTesla delivery chain was first observed on March 12, 2026 using a spear-phishing attachment named "new order WKB25050933.js" disguised as a purchase order. The infection used obfuscated JScript, PowerShell, and a .NET loader to hollow Aspnet_compiler.exe and run AgentTesla, with SMTP exfiltration to mail.cottondreams.org.
GhostPulse DeerStealer sample is first observed
A DeerStealer infostealer sample using GhostPulse-style delivery was first seen on March 10, 2026 after being uploaded from Sweden. The MSI installed files under %LOCALAPPDATA%\Coz\ and hid the payload in 752 headless PNG-style IDAT chunks with a separate encrypted configuration blob.
GhostPulse DeerStealer MSI installer is built with WiX
A DeerStealer-delivering MSI installer named RVJVAUQL.msi was built on March 4, 2026 using WiX Toolset 4.0.0.0. The installer later deployed a GhostPulse loader via DLL sideloading against the legitimate iMyFone Feedback binary Utils.exe.
ShadowLadder campaign activity continues through November 2025
The reported ShadowLadder activity spanned at least 35 samples through November 2025, with infrastructure tied to multiple domains, Cloudflare accounts, and hosting providers. OPSEC failures in the infrastructure supported a medium-confidence assessment of a South Asian, possibly Indian, operator.
ShadowLadder campaign begins distributing malware via trojanized installers
Breakglass assessed the broader ShadowLadder campaign as operating from September 2024, using piracy-themed lures and trojanized MSI installers to distribute multiple malware families including Rhadamanthys, HijackLoader, ACRStealer, DeerStealer, and PeakLight.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
AgentTesla - Multi-Stage JScript Dropper with Process Hollowing - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceGhostPulse Hides DeerStealer in 752 Headless IDAT Chunks: PNG Steganography Without a PNG, DLL Sideloading via iMyFone, and a $3,000/Month MaaS Empire - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceShadowLadder Unmasked: GhostPulse IDAT Steganography Delivers Rhadamanthys via Trojanized KMS Activators - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
DeerStealer Delivered via Fake Password Manager in Malicious WiX Burn Installer
A malicious WiX Burn bootstrapper branded as **"Antonomasia"** and signed to appear as publisher **"Cyme"** was used to deliver the **DeerStealer** malware-as-a-service infostealer while showing victims a legitimate copy of **Active@ Password Changer** as a decoy. Analysis found the bundle extracted 15 files from an embedded CAB archive, with the malicious chain centered on `Bichromate.dll`, an AES-CBC-encrypted payload stored as `jri`, and an XOR-obfuscated C2 configuration in `yodpxub`. `Bichromate.dll` masqueraded as Adobe's `CCMNative.dll` by repurposing Adobe Generic Download Engine code, then decrypted the configuration and payload and launched DeerStealer entirely in memory to reduce on-disk artifacts. Once executed, DeerStealer harvested credentials, cookies, browser session data, messaging and VPN information, FTP configurations, screenshots, and clipboard contents, while also targeting more than 50 browsers, over 14 cryptocurrency wallets, and roughly 800 browser extensions. The malware also enabled hidden VNC access and keylogging, and established persistence through an `HKCU\Run` key named `AppVTemplate` and scheduled tasks including `zceWriter`, `dyApp`, and `Pluginsecurity_dbg`. It communicated over HTTPS with Cloudflare-fronted command-and-control domains including `telluricaphelion[.]com` and `loadinnnhr[.]today`, and researchers assessed the operation as a social-engineering campaign likely spread through malvertising by an affiliate in the Rugmi/DeerStealer ecosystem.
May 24, 2026
Malware Delivery via Image-Based Payload Hiding and Reused Steganographic Media
Security researchers reported multiple malware delivery chains that **hide or embed executable payloads inside image files** to evade detection. Veracode analyzed a malicious typosquatted NPM package, `buildrunner-dev`, that uses a `postinstall` hook to run `init.js`, which downloads an obfuscated batch script (`packageloader.bat`) from a Codeberg repository. The batch script ultimately retrieves PNG images hosted on a free image service and extracts hidden data from RGB pixel values (steganography), leading to a loader with **process hollowing**, **encrypted payload handling**, **AMSI bypass**, and per-AV evasion logic, culminating in deployment of the **Pulsar .NET RAT**. Separately, SANS ISC documented a phishing/malspam-style infection chain starting from an Excel attachment exploiting **CVE-2017-11882** (Equation Editor), which downloads an HTA that launches PowerShell to fetch a PNG (`optimized_MSI.png`) containing a Base64-encoded .NET payload delimited by `BaseStart-` and `-BaseEnd` tags. The handler noted **reuse of the same image across campaigns**, used VirusTotal similarity searches to identify many related samples, and produced a YARA rule to track the technique. Kaspersky’s write-up on **Arkanix Stealer** describes a MaaS stealer ecosystem (C++ and Python variants, ChromElevator usage, and broad credential/crypto theft) but does not center on image-based payload hiding, making it a separate topic from the image-steganography delivery chains described by Veracode and SANS ISC.
Mar 21, 2026
Multi-stage loaders use DLL sideloading and signed binaries to hide final payloads
Researchers detailed two separate malware chains that rely on deeply layered staging, DLL sideloading, and trusted signed software to conceal execution. One campaign, dubbed **Eimeria**, starts from a `RAR5` archive containing the signed `dsclock.exe`, a malicious `zlibwapi.dll`, and an encrypted payload that decrypts into an IExpress package and then an AutoIt-based RunPE loader. The chain restores `ntdll.dll` to evade EDR hooks, decrypts later stages with `AES-128-CBC`, `RC4`, and `LZNT1`, hollows `explorer.exe`, `svchost.exe`, or `taskhostw.exe`, and injects a small .NET RAT that beacons over WebSocket to `94.26.90.139:3006`. It also sets persistence through a Run key and scheduled task and uses delays, sleep checks, and CPU and memory stress tests to frustrate analysis. A second intrusion set tied to **UAC-0184 / MB-0007** used Ukraine-themed lures and messenger delivery to target Ukrainian Defense Forces personnel, beginning with `LNK` files that called `bitsadmin` to fetch `HTA` content from `169.40.135.35` for execution via `mshta`. The downloaded archive abused legitimate Plane9 components for sideloading through `Cluster-Overlay64.exe`, `Plane9Engine.dll`, and `openvr_api.dll`, then decoded `kernel-diag.lib` into `evr.dll` and unpacked `filter.bin` by rebuilding `IDAT` chunks, XOR-decoding with key `0x227E9BDE`, and decompressing with `LZNT1`. The final bundle included signed utilities such as Microsoft-signed `VSLauncher.exe` and a renamed PassMark Endpoint DLL, indicating the actor likely repurposed a signed network stack and dump-capable tooling for covert internal communications, with controller details possibly discovered dynamically over multicast `224.0.0.255:31339` and TCP `31339` rather than a fixed external C2.
May 18, 2026