Listen to this Post

Cybersecurity researchers have identified a new variant of a .NET-based steganographic loader that delivers the notorious Lokibot malware using sophisticated evasion techniques. By embedding malicious code within ordinary-looking image files, this loader is designed to bypass traditional detection mechanisms and execute its payload stealthily on targeted systems. This latest campaign, uncovered by the Splunk Threat Research Team (STRT), demonstrates how cybercriminals continue to innovate, using legitimate file formats and runtime decryption to hide malware from security tools.
New Stealthy Loader Evades Detection
The loader, first observed disguised as a fake “Request for Quotation” (RFQ) document, avoids embedding malware directly in its .NET resources. Instead, it uses a decryption module that extracts a hidden container at runtime. This container houses two image files, a BMP and a PNG, each containing the next-stage malware payload. Because these images remain encrypted until execution, conventional static analysis tools and sandboxes struggle to identify malicious behavior.
Researchers employed the PowerShell-based PixDig tool to extract the embedded images, decode them, and reveal Lokibot as the final-stage malware. PE timestamp analysis confirmed that the loader continues to distribute updated versions of Lokibot, indicating ongoing activity in the wild.
Lokibot’s Capabilities and Threat Profile
Active since 2015 and widely spread following its source code leak in 2018, Lokibot targets Windows systems to steal credentials, browser data, and cryptocurrency wallets. It enumerates system details, extracts stored passwords from browsers and password managers, and communicates with its command-and-control (C2) server.
The malware gains elevated privileges, including SeDebugPrivilege, to access protected processes like lsass.exe. It also injects into vbc.exe, the Visual Basic compiler, for stealthy execution. Using Windows APIs such as UrlDownloadToFileW, Lokibot can download additional payloads and maintain persistence through scheduled tasks. During STRT’s analysis, some of the C2 servers were inactive, but the malware’s presence across multiple systems was evident.
Splunk mapped the attack to several MITRE ATT&CK techniques, including Process Injection (T1055), Credentials from Password Stores (T1555), and Scheduled Task/Job (T1053). To improve detection, STRT released 26 analytic rules covering suspicious behaviors, such as Visual Basic compiler DNS queries, unusual executable locations, and XML-based scheduled task creation.
What Undercode Say:
The emergence of this .NET steganographic loader underscores the increasing sophistication of malware delivery. By leveraging image-based payloads and runtime decryption, attackers significantly reduce the likelihood of detection by conventional antivirus and sandbox tools. This trend highlights a broader evolution in malware tactics: moving away from static signatures toward dynamic, polymorphic methods that adapt to security defenses in real time.
Lokibot’s continued targeting of credential stores, browser data, and cryptocurrency wallets demonstrates its ongoing profitability and relevance in cybercrime. Its ability to inject into system processes and exploit Windows APIs for stealth and persistence reflects an advanced understanding of Windows internals. Moreover, the use of legitimate-looking file formats, like BMP and PNG, as carriers for malicious code emphasizes the need for security solutions that analyze runtime behavior rather than rely solely on static signatures.
From an operational standpoint, organizations must prioritize endpoint detection and response (EDR) capabilities that can monitor PowerShell execution, unusual Visual Basic compiler activity, and unexpected scheduled tasks. Awareness campaigns and threat hunting, informed by the 26 analytic rules from STRT, are crucial to identifying and mitigating such attacks before credential theft or system compromise occurs.
Additionally, this campaign exemplifies the broader cybersecurity arms race: attackers continuously refine malware delivery to exploit overlooked attack surfaces, while defenders must innovate equally sophisticated detection and response strategies. The use of steganography as a primary evasion method is particularly concerning, as it could be adapted to other malware families, expanding its potential impact.
Organizations should consider layered security approaches, including behavioral analytics, threat intelligence feeds, and strict network segmentation, to limit the reach of advanced malware like Lokibot. The case also highlights the importance of ongoing research and collaboration between cybersecurity firms, sharing indicators of compromise (IOCs) and analytic techniques to counter emerging threats.
Fact Checker Results:
✅ STRT uncovered a .NET steganographic loader delivering Lokibot.
✅ Malware hides payloads within BMP and PNG images using runtime decryption.
❌ No evidence suggests this variant is linked to Quasar RAT; it uses updated modules.
Prediction:
📊 As malware authors adopt increasingly advanced evasion methods, image-based steganography and runtime decryption will likely become more common in banking and credential-stealing campaigns. Expect more attacks targeting cloud-connected endpoints and exploiting legitimate file formats, pushing defenders toward behavioral analysis and AI-driven threat detection.
If you want, I can also create a fully SEO-optimized version with embedded LSI keywords for higher search visibility while keeping the same human-like editorial tone. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




