A new wave of .NET-based malware is leveraging advanced steganographic techniques to stealthily embed and execute malicious payloads within bitmap resources of otherwise benign 32-bit applications.
This sophisticated approach, observed across several malspam campaigns from late 2024 to early 2025, demonstrates a growing threat to organizations in the financial and logistics sectors, particularly in regions such as Türkiye and Asia.
Attackers distributed more than 250 malicious emails, with the embedded malware tailored using filenames and email content specific to targeted organizations and relevant business processes, including procurement documents and transaction records.
Bitmap Steganography Meets .NET Obfuscation
The malware’s infection chain is distinctly multi-staged, capitalizing on the modularity and flexibility of the .NET framework.
The initial vector consists of a 32-bit .NET executable which embeds its primary stage of malicious code as a bitmap resource.
On execution, this bitmap is deobfuscated and loaded as a dynamic-link library (DLL), which subsequently unpacks additional bitmap resources, each concealing further loader assemblies.
This chained unpacking continues until the final stage-typically a remote access trojan such as Agent Tesla, Remcos RAT, or XLoader-is decrypted and executed on the host system.
Notably, the initial loader’s obfuscation strategies are multifaceted:
- Metadata and Control Flow Obfuscation: Class, method, and property names are manipulated to prevent static analysis, while execution paths are obfuscated through control flow flattening and opcode replacement.
- String Encryption and Dynamic Code Generation: Key strings are stored in encrypted form and decrypted at runtime; in parallel, malicious code is dynamically generated and executed via reflection.
- Resource Concealment via Steganography: Bitmap objects, seemingly innocuous, are used as covert delivery vehicles for hidden payloads, exploiting the .NET framework’s resource management mechanisms.
This combination of techniques not only evades signature-based detection but also impedes reverse engineering and static code analysis, thereby maximizing dwell time on infected systems.
Detailed Infection Workflow
The analyzed attack sequence begins when the user executes a tampered .NET application, such as a cloned Windows Forms OCR utility.
The malware’s MainForm class initializes the extraction of a bitmap resource (e.g., “sv”), which is then decoded to yield a first-stage loader DLL (TL.dll).
This component, devoid of its own embedded resources, utilizes reflection and further resource parsing to extract and execute a second bitmap-embedded DLL (Montero.dll), continuing the sequence.
Montero.dll itself contains an encrypted byte array, which, after decryption (using XOR with subtraction and a specific key), reveals the ultimate payload-commonly an Agent Tesla variant.
The decrypted binary is then injected and executed, often configured for post-infection data exfiltration through SMTP or HTTP-based command and control (C2) channels.
Concealing payloads in bitmap resources represents a formidable evasion tactic, allowing adversaries to bypass many conventional detection techniques.
According to the Report, Security analysts are advised to employ dynamic analysis strategies such as intercepting calls to the .NET ResourceManager and assembly loading APIs, facilitating on-the-fly resource extraction and inspection.
Advanced threat protection tools-such as updated behavioral analysis and endpoint detection solutions-are crucial in mitigating this threat.
Palo Alto Networks and peer organizations continue to update detection rules and share threat intelligence across platforms like the Cyber Threat Alliance, ensuring broad community defense.
Indicators of Compromise (IOC)
| Threat Family | SHA-256 | C2/Exfiltration Address | Sender Email | Receiver Email | Credentials |
|---|---|---|---|---|---|
| Agent Tesla | 30b7c09af884dfb7e34aa7401431cdabe6ff34983a59bec4c14915438d68d5b0 | mail.gtpv[.]online:587 | kings@gtpv[.]online | king@gtpv[.]online | 7213575aceACE@@ |
| Agent Tesla | 5487845b06180dfb329757254400cb8663bf92f1eca36c5474e9ce3370cadbde | nffplp[.]com:587 | airlet@nffplp[.]com | smt.treat@yandex[.]com | $Nke%8XIIDtm |
| Agent Tesla | ac5fc65ae9500c1107cdd72ae9c271ba9981d22c4d0c632d388b0d8a3acb68f4 | hosting2.ro.hostsailor[.]com:587 | packagelog@gtpv[.]online | package@gtpv[.]online | 7213575aceACE@@ |
| XLoader | 511af3c08bd8c093029bf2926b0a1e6c8263ceba3885e3fec9b59b28cd79075d | hxxp://www.sixfiguredigital[.]group/aoc3/ | N/A | N/A | N/A |
| XLoader | 604cbcfa7ac46104a801a8efb7e8d50fa674964811ec7652f8d9dec123f8be1f | hxxp://www.sixfiguredigital[.]group/aoc3/ | N/A | N/A | N/A |
| XLoader | 98195a4d27e46066b4bc5b9baea42e1e5ef04d05734c556d07e27f45cb324e80 | hxxp://www.sixfiguredigital[.]group/aoc3/ | N/A | N/A | N/A |
| XLoader | a4a6364d2a8ade431974b85de44906fe8abfed77ab74cc72e05e788b15c7a0cf | hxxp://www.yperlize[.]net/aa02/ | N/A | N/A | N/A |
| Remcos RAT | 3b83739da46e20faebecf01337ee9ff4d8f81d61ecbb7e8c9d9e792bb3922b76 | myhost001.myddns[.]me:9373, 103.198.26[.]222:9373 | N/A | N/A | N/A |
| Remcos RAT | 8146be4a98f762dce23f83619f1951e374708d17573f024f895c8bf8c68c0a75 | 67.203.7[.]163:3320 | N/A | N/A | N/A |
| Remcos RAT | 9ed929b60187ca4b514eb6ee8e60b4a0ac11c6d24c0b2945f70da7077b2e8c4b | 176.65.144[.]154:3077 | N/A | N/A | N/A |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
