PixyNetLoader
PixyNetLoader is a DLL-based malware loader and previously undocumented dropper associated with APT28 (Fancy Bear/UAC-0001) and used in Operation Neusploit and related campaigns. It has been observed in the wild since at least December 2024, with multiple versions tracked through April 2026. Delivery is tied to malicious Microsoft Office/RTF or Word documents exploiting CVE-2026-21509, after which an initial dropper such as SimpleDropper installs PixyNetLoader.
Its role is to establish persistence and stage follow-on payloads, most notably a Covenant Grunt implant. Reported persistence and execution mechanisms include COM hijacking/COM persistence and scheduled tasks. In the ThreatLabz-described chain, PixyNetLoader drops SplashScreen.png to %programdata%\Microsoft OneDrive\setup\Cache\SplashScreen.png, a malicious EhStoreShell.dll to %programdata%\USOPublic\Data\User\EhStoreShell.dll, and office.xml to %temp%\Diagnostics\office.xml; hijacks CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} so explorer.exe loads the malicious DLL; and creates a temporary scheduled task named OneDriveHealth to restart explorer.exe and trigger execution. It has also been described as using DLL proxying and anti-analysis checks.
A core feature of PixyNetLoader is steganographic payload delivery. It drops or reads a companion PNG file and extracts hidden shellcode or an encrypted Covenant Grunt payload from the least significant bits of image pixels, then executes the payload directly in memory. The malicious EhStoreShell.dll is reported to run only in explorer.exe, proxy exports to the legitimate EhStorShell.dll, perform Sleep()-based anti-sandbox timing checks, decode shellcode from RGBA pixel bytes, allocate executable memory, and transfer execution to the extracted code. The shellcode then hosts the .NET CLR in memory and loads an embedded Covenant Grunt implant.
The resulting Covenant Grunt payload provides command-and-control capability and has been reported to use the Filen cloud service/API as its C2 channel. Campaign reporting links PixyNetLoader activity to targeting of government, military, public-sector, maritime, and transport organizations, especially in Ukraine and other Central and Eastern European countries including Slovakia and Romania. High-confidence indicators and hunting leads mentioned in the content include the mutex asagdugughi41, the dropped filenames SplashScreen.png, EhStoreShell.dll, and office.xml, the scheduled task name OneDriveHealth, the COM CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}, unusual DLL COM registrations, PNG files in OneDrive cache paths, and outbound connections to the Filen cloud service.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
PixyNetLoader is a DLL-based malware loader. It arrives via a malicious Office document that exploits CVE-2026-21509. | PixyNetLoader is a DLL-based malware loader. It arrives via a malicious Office document that exploits CVE-2026-21509. After initial compromise, a dropper called SimpleDropper installs the loader with COM persistence and drops a companion PNG file alongside it. PixyNetLoader then reads the PNG file, extracts a Covenant Grunt payload from the image pixels, and executes it directly in memory.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
PixyNetLoader is a DLL-based malware loader. It arrives via a malicious Office document that exploits CVE-2026-21509. After initial compromise, a dropper called SimpleDropper installs the loader with COM persistence and drops a companion PNG file alongside it. PixyNetLoader then reads the PNG file, extracts a Covenant Grunt payload from the image pixels, and executes it directly in memory.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
8 techniques
Execution
Executes the following command using the CreateProcess Windows API to set up a Windows scheduled task... schtasks.exe /Create /tn "OneDriveHealth" /XML "%temp%\Diagnostics\office.xml"
“%windir%\system32\cmd.exe /c (taskkill … explorer.exe) & (start explorer …) & (schtasks /delete …)”
It arrives via a malicious Office document that exploits CVE-2026-21509.
It arrives via a malicious Office document that exploits CVE-2026-21509.
Uses COM object hijacking to establish persistence. EhStorShell.dll is the legitimate name for the Enhanced Storage Shell Extension DLL. By setting the Windows registry keys listed in the table below, PixyNetLoader ensures that the next-stage malicious shellcode loader DLL is loaded each time the explorer.exe process starts.
Persistence
3 techniques
Persistence
Executes the following command using the CreateProcess Windows API to set up a Windows scheduled task... schtasks.exe /Create /tn "OneDriveHealth" /XML "%temp%\Diagnostics\office.xml"
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
9 techniques
Stealth
retaining similar techniques, including ... (3) XOR string encryption techniques...
The technique, known as steganography, embeds encrypted shellcode into the least significant bits of image pixels — making detection far harder for traditional security tools.
All the embedded payloads are decrypted and dropped to the file system locations in the table below: %programdata%\Microsoft OneDrive\setup\Cache\SplashScreen.png ... %temp%\Diagnostics\office.xml
The loader embeds a secret that it hashes with SHA-256, performs a byte permutation, then derives an AES key via PBKDF2 HMAC SHA-256 with 20,000 iterations using a salt extracted from the PNG.
“Creates a mutex with the static name adjgfenkbe.” / “Creates a mutex with the name asagdugughi41.” / “Creates a mutex named dvyubgbqfusdv32.”
the loader only activates its malicious logic if the infected machine is not an analysis environment and when the host process that launched the DLL is "explorer.exe." The malware stays dormant if the conditions are not met.
Uses COM object hijacking to establish persistence. EhStorShell.dll is the legitimate name for the Enhanced Storage Shell Extension DLL. By setting the Windows registry keys listed in the table below, PixyNetLoader ensures that the next-stage malicious shellcode loader DLL is loaded each time the explorer.exe process starts.
Defense Impairment
1 technique
Defense Impairment
Discovery
1 technique
Discovery
Command and Control
5 techniques
Command and Control
The Grunt payload uses the FILEN cloud service as its command-and-control channel.
CERT-UA said. "During the investigation, it was found that opening the document using Microsoft Office leads to establishing a network connection to an external resource using the WebDAV protocol..."
The threat actor employed server-side evasion techniques, responding with the malicious DLL only when requests originated from the targeted geographic region and included the correct User-Agent HTTP header.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A DLL-based malware loader that uses steganography to hide encrypted payloads inside PNG image files, installs persistence via COM, extracts a Covenant Grunt payload from image pixel LSBs, and executes it in memory while using the FILEN cloud service for command-and-control.
A malware loader attributed to APT28 that exploits a Microsoft Office vulnerability to deliver a COVENANT Grunt implant.
A loader component used to deploy follow-on implants in the referenced Operation Neusploit activity.
Loader/dropper introduced by a second dropper DLL variant; uses steganography (PNG containing hidden shellcode) to deliver additional payloads and support follow-on compromise.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.