APT-C-20 Hackers Hide Shellcode in PNG Images to Launch Fileless C# Backdoor

APT-C-20 Hackers Hide Shellcode in PNG Images to Launch Fileless C# Backdoor

A well known hacking group has found a clever way to sneak malicious code past security tools, using an ordinary picture file.

The group, tracked as APT-C-20 and known as APT28 or Fancy Bear, hides shellcode inside PNG images to launch a fileless backdoor written in C#. This lets attackers avoid dropping malware files on disk, making the intrusion harder to spot.

The campaign begins with a booby trapped Word document sent as an email attachment, disguised as a defense related file tied to an Eastern European government.

Once a victim enables macros, the document drops a hidden DLL and a disguised PNG image, then hijacks a Windows component to load code without raising alarms.

The DLL pulls hidden shellcode from the image and runs it in memory, eventually deploying a remote access tool that talks to attackers through a cloud storage service.

Analysts from 360 said in a report shared with Cyber Security News (CSN) that they identified the campaign while tracking APT-C-20 activity, noting the group’s tradecraft closely matches its historical operations.

Their research shows the attackers combine several layers of deception, including macro encryption, hidden registry changes, and image based steganography, keeping the infection invisible for as long as possible.

The impact is significant since the campaign targets government and diplomatic entities with convincing lures, and its fileless nature means antivirus tools often miss it.

Since the final payload never touches disk as a standalone executable, defenders must rely on behavior based detection rather than file scanning. Organizations handling sensitive geopolitical data face heightened risk given the group’s history of espionage.

APT-C-20 Hackers Hide Shellcode in PNG Images

The attack starts with a document named readme.docm, a tiny file barely 469 bytes in size that shows garbled text until macros are enabled.

Enabling macros reveals a decoy page about an Eastern European defense ministry, distracting the user while hidden code runs in the background.

The macro is encrypted, and once unlocked it checks the environment, drops files, sets up persistence, and gathers system information before showing fake content.

The malware contacts dropbox.com as a network check, then copies itself into a temp folder and writes two files to a ProgramData location, a DLL named dnxstore.dll and an image called EdgeLogo.png.

Attack Chain (Source - 360)
Attack Chain (Source – 360)

A registry key tied to a built in Windows COM class is redirected to the malicious DLL. When Windows Explorer initializes that COM object, it unknowingly loads the attacker’s code, a technique known as COM hijacking.

Once loaded, dnxstore.dll checks whether it runs inside explorer.exe rather than a debugging tool, and measures time delays to detect a sandbox.

If everything looks legitimate, it opens EdgeLogo.png, which appears to be a normal Edge icon but hides encrypted data using least significant bit steganography.

The malware derives an encryption key, pulls hidden salt and initialization vector values from the pixels, and decrypts a small header describing where the real payload sits.

The Fileless C# Backdoor Payload

After extracting the metadata, the loader pulls the encrypted shellcode from the image pixels, decrypts it, and runs it entirely in memory without saving it as a file.

This shellcode reflectively loads the final payload, a C# backdoor called Publish.exe, heavily obfuscated to resist analysis.

Once active, the backdoor builds a unique identifier from the victim’s username and domain name, then packages system details into a JSON message that gets encrypted and sent out.

Instead of a typical command and control server, it communicates through Filen.io, a cloud storage service, using multiple backup gateways so it keeps working if one node fails.

It waits for instructions, exchanges encryption keys with the operator, and loads additional code sent to it.

Researchers noted this reflective loading style and cloud based communication matches previous APT-C-20 activity documented in earlier reports.

The security teams should treat unexpected macro enabled documents with caution and avoid opening attachments or links from unfamiliar senders.

Monitoring unusual explorer.exe behavior and traffic to cloud APIs can help catch this intrusion early.

Indicators of compromise (IoCs):-

Type Indicator Description
File readme.docm Malicious macro enabled Word document used as initial lure, 469 bytes 
File dnxstore.dll Shellcode loader DLL dropped via COM hijacking 
File EdgeLogo.png PNG image containing LSB steganography-hidden shellcode 
File Publish.exe Final C# backdoor payload communicating via Filen.io 
Domain dropbox.com Contacted during initial network reconnaissance check 
Domain gateway.filen.io C2 gateway node for Filen.io based communication 
Domain gateway.filen.net Backup C2 gateway node for Filen.io based communication 
MD5 77014b3e77529079f041b5b9e73a013b Hash of readme.docm lure document 
MD5 b077401fe3d9642345d4c3deafa60aa5 Hash of dnxstore.dll loader 
MD5 1cbffddcb8e1e839737bbf6e50a80aaf Hash associated with attack component 
MD5 f10d1676b570aa4d97edb844fbb5128 Hash associated with attack component 
MD5 7c517d1f4385e0d6e8fa5932d17873eb Hash associated with attack component 
MD5 8d416eca59188474efa3408827578588b Hash of Publish.exe C# backdoor payload 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.

The post APT-C-20 Hackers Hide Shellcode in PNG Images to Launch Fileless C# Backdoor appeared first on Cyber Security News.

​The original article found on Cyber Security News Read More