New .NET Malware Hides Lokibot Malware within PNG/BMP Files to Evade Detection

Cybersecurity threats continue to evolve with sophisticated evasion methods. A new .NET-based malware loader has emerged that demonstrates an advanced approach to concealing the notorious Lokibot trojan within image files.

This multi-stage payload delivery system uses steganography, a technique that embeds hidden data inside legitimate-looking files, making detection significantly more challenging for security tools and analysts.

The malware operates as a steganography loader capable of extracting and executing Lokibot from within PNG and BMP image files.

Security researchers have identified this threat as part of an expanding attack campaign targeting organizations globally.

The attacker leverages image file containers because antivirus software and email gateways often whitelist image files as safe, assuming they pose no risk.

This assumption has become a critical vulnerability in modern security infrastructure. The delivery mechanism typically involves phishing emails or compromised websites hosting the initial loader.

Once executed, the malware retrieves image files containing hidden Lokibot payloads from remote servers. The steganographic embedding process manipulates pixel data within the image files, specifically using RGB color channels to store encoded executable code.

This technique renders the images functionally intact while silently carrying malicious content. Splunk security researchers noted that the malware represents a significant shift in evasion strategy.

Traditional detection methods rely on identifying suspicious file signatures or behavioral patterns, but image-based steganography bypasses these defenses by hiding executables within files that appear innocuous.

The researchers discovered that the loader uses a custom decryption routine to extract the actual Lokibot payload after retrieval, adding another layer of obfuscation that delays analysis and detection.

Once deployed, Lokibot functions as an information stealer designed to harvest sensitive credentials and data from infected systems.

The malware targets browser histories, saved passwords, and application-specific authentication tokens, making it particularly dangerous for corporate environments where employees access multiple cloud services.

The Steganographic Embedding Mechanism

Understanding how the malware hides code within image files reveals the technical sophistication of this attack. The .NET loader contains embedded PNG and BMP files within its resource section.

These image files have been specifically crafted to contain the Lokibot payload encoded across multiple pixel values.

The encoding process takes advantage of the ARGB color format, where each pixel contains alpha, red, green, and blue channel data.

Attackers manipulate these channel values to carry encoded bytes of the actual malicious executable. The process extracts individual pixel values, converts them to hexadecimal sequences, and reassembles these bytes into a complete PE module.

The resulting extracted file is typically a DLL, such as “captive.dll,” which serves as an intermediate stage that decrypts and executes the final Lokibot trojan.

This nested approach means security tools must successfully bypass multiple layers of encryption and encoding to reach the actual threat.

The elegance of this technique lies in its ability to distribute malware using files that fail content analysis, pass file-type validation checks, and bypass gateway filters designed for traditional payload detection methods.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.