A well known hacking group has found a clever way to sneak malicious code past security tools, using an ordinary picture file.
The group, tracked as APT-C-20 and known as APT28 or Fancy Bear, hides shellcode inside PNG images to launch a fileless backdoor written in C#. This lets attackers avoid dropping malware files on disk, making the intrusion harder to spot.
The campaign begins with a booby trapped Word document sent as an email attachment, disguised as a defense related file tied to an Eastern European government.
Once a victim enables macros, the document drops a hidden DLL and a disguised PNG image, then hijacks a Windows component to load code without raising alarms.
The DLL pulls hidden shellcode from the image and runs it in memory, eventually deploying a remote access tool that talks to attackers through a cloud storage service.
Analysts from 360 said in a report shared with Cyber Security News (CSN) that they identified the campaign while tracking APT-C-20 activity, noting the group’s tradecraft closely matches its historical operations.
Their research shows the attackers combine several layers of deception, including macro encryption, hidden registry changes, and image based steganography, keeping the infection invisible for as long as possible.
The impact is significant since the campaign targets government and diplomatic entities with convincing lures, and its fileless nature means antivirus tools often miss it.
Since the final payload never touches disk as a standalone executable, defenders must rely on behavior based detection rather than file scanning. Organizations handling sensitive geopolitical data face heightened risk given the group’s history of espionage.
APT-C-20 Hackers Hide Shellcode in PNG Images
The attack starts with a document named readme.docm, a tiny file barely 469 bytes in size that shows garbled text until macros are enabled.
Enabling macros reveals a decoy page about an Eastern European defense ministry, distracting the user while hidden code runs in the background.
The macro is encrypted, and once unlocked it checks the environment, drops files, sets up persistence, and gathers system information before showing fake content.
The malware contacts dropbox.com as a network check, then copies itself into a temp folder and writes two files to a ProgramData location, a DLL named dnxstore.dll and an image called EdgeLogo.png.

A registry key tied to a built in Windows COM class is redirected to the malicious DLL. When Windows Explorer initializes that COM object, it unknowingly loads the attacker’s code, a technique known as COM hijacking.
Once loaded, dnxstore.dll checks whether it runs inside explorer.exe rather than a debugging tool, and measures time delays to detect a sandbox.
If everything looks legitimate, it opens EdgeLogo.png, which appears to be a normal Edge icon but hides encrypted data using least significant bit steganography.
The malware derives an encryption key, pulls hidden salt and initialization vector values from the pixels, and decrypts a small header describing where the real payload sits.
The Fileless C# Backdoor Payload
After extracting the metadata, the loader pulls the encrypted shellcode from the image pixels, decrypts it, and runs it entirely in memory without saving it as a file.
This shellcode reflectively loads the final payload, a C# backdoor called Publish.exe, heavily obfuscated to resist analysis.
Once active, the backdoor builds a unique identifier from the victim’s username and domain name, then packages system details into a JSON message that gets encrypted and sent out.
Instead of a typical command and control server, it communicates through Filen.io, a cloud storage service, using multiple backup gateways so it keeps working if one node fails.
It waits for instructions, exchanges encryption keys with the operator, and loads additional code sent to it.
Researchers noted this reflective loading style and cloud based communication matches previous APT-C-20 activity documented in earlier reports.
The security teams should treat unexpected macro enabled documents with caution and avoid opening attachments or links from unfamiliar senders.
Monitoring unusual explorer.exe behavior and traffic to cloud APIs can help catch this intrusion early.
Indicators of compromise (IoCs):-
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.
The post APT-C-20 Hackers Hide Shellcode in PNG Images to Launch Fileless C# Backdoor appeared first on Cyber Security News.
​The original article found on Cyber Security News Read More