Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
17 distinct techniques documented for this family, organized by ATT&CK tactic.
The JavaScript file extracted from the archive... The invoked PowerShell also uses the -w hidden flag...
It then launches conhost.exe in headless mode to hide malicious activity. The invoked PowerShell also uses the -w hidden flag to hide the PowerShell window.
The extracted JavaScript stores malicious commands in process environment variables (which are also filled with garbled text and multilingual comments as obfuscation)
the image file uses steganography to conceal data within the picture and uses “iTXt” and “IEND” chunks as markers to locate the encrypted data.
A recent example uncovered by Labs involves a phishing campaign that uses environment variables to conceal malicious commands, employing PawsRunner as a steganography loader to deliver the PureLogs .NET infostealer.
The PowerShell script first retrieves data from Process environment variables, then decodes and decrypts its payload using the AES algorithm, and finally decompresses it using the Gzip method.
The functions declare a large number of Process environment variables containing garbled text... The command executed is specified by one of these variables.
It then launches conhost.exe in headless mode to hide malicious activity. The invoked PowerShell also uses the -w hidden flag to hide the PowerShell window.
It then extracts an encrypted payload hidden withing the image (PNG) file using steganography markers, and bypasses Event Tracing for Windows and Windows 11 security features
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A .NET assembly loader used in the phishing chain to decrypt a URL, retrieve a PNG image, extract an encrypted payload via steganography markers, and bypass Event Tracing for Windows and Windows 11 security features before delivering the final payload.
Steganography loader used in a phishing campaign to conceal malicious commands in environment variables and deliver a next-stage payload hidden in media files.
A steganography-based .NET loader delivered via phishing. It decrypts configuration, downloads content while preferring PNG images, extracts encrypted payloads hidden in PNG files using iTXt and IEND markers, and executes the next stage filelessly. The loader evolved over time from directly downloading PE files to using steganography and added fallback URL logic and ETW/Windows 11 24H2 bypasses.
A steganography-enabled .NET loader delivered via phishing. It decrypts configuration, downloads content while preferring PNG responses, extracts encrypted payloads hidden in PNG images using iTXt and IEND markers, and executes the next stage after bypassing ETW and Windows 11 24H2 security features.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.