Security researchers have uncovered a new malware loader that hides its code inside ordinary image files, revealing a quiet but determined evolution in attackers’ efforts to evade modern detection systems. The campaign, which ultimately delivers the credential-stealing malware Lokibot, offers a rare look into how familiar threats are being re-engineered for a new era of defensive tools.
A Stealthy Malware Loader Emerges
A newly identified variant of a .NET-based steganographic loader is drawing attention across the cybersecurity community for its ability to mask malicious code inside image files — a technique designed to slip past antivirus tools by mimicking harmless visual media.
Researchers at the Splunk Threat Research Team (STRT) encountered the loader while analyzing modified samples of a previously known crypter. The crypter has a long history of embedding malicious code inside images, but the new strain, they say, reflects a significant escalation: it adds a dedicated decryption module engineered to frustrate static analysis and automated sandboxing.
The campaign begins with a familiar lure. The malware first surfaces as what appears to be a routine business document — in this case, a fabricated “Request for Quotation” (RFQ). When opened, the file quietly initiates a sequence of decryption steps, extracting a concealed container module instead of loading malicious data directly from its .NET resources
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Inside the Steganographic Technique
What distinguishes this loader from earlier versions is its layered approach to hiding code. The container it retrieves holds two image-based modules, one encoded in BMP format and the other in PNG. Each image carries encrypted content representing the next stage of malware.
Because the images remain encrypted until runtime, traditional inspection methods — which rely on analyzing file signatures or scanning static code — rarely detect them. This method of steganography allows the loader to masquerade as benign digital media, a tactic that has proved increasingly effective as attackers adapt to the more sophisticated screening tools deployed by enterprises.
Once decrypted, the module leverages Windows APIs such as UrlDownloadToFileW to retrieve additional payloads. It then establishes persistence via scheduled tasks, ensuring the malware can continue operating even if initial processes are terminated. Some command-and-control servers used in the campaign appeared inactive during STRT’s review, but the architecture suggests that the operators maintain a rotation of endpoints to avoid long-term exposure.
Splunk analysts linked the activity to several MITRE ATT&CK techniques, including Process Injection (T1055), Credentials from Password Stores (T1555), and Scheduled Task/Job Creation (T1053) — a combination that reflects both the breadth and maturity of the operation.
Unpacking the Lokibot Payload
After decoding the steganographic layers, researchers found the malware ultimately delivers Lokibot, one of the most widely circulated credential-stealers of the last decade. Lokibot first appeared in 2015, but its reach expanded dramatically after its source code leaked in 2018, enabling criminal groups to develop their own variants.
Once installed, Lokibot begins enumerating system information and harvesting stored credentials from browsers, password managers and cryptocurrency wallets. It extracts sensitive data from processes such as lsass.exe and injects itself into vbc.exe, the Visual Basic compiler, for stealthier execution. From there, it communicates with remote command-and-control servers, transmitting the stolen data while awaiting new instructions.
A timestamp analysis of the loader suggested that it continues to push updated Lokibot builds — an indication, researchers say, that the malware remains actively maintained and distributed in the wild
Evasion Tactics and the Growing Detection Challenge
The discovery underscores a broader shift toward malware designed not simply to bypass antivirus tools, but to withstand the layered analytics increasingly favored by enterprise security teams.
To counter this campaign, the STRT team released 26 new analytic rules aimed at catching behaviors rather than specific signatures. The rules target patterns such as Visual Basic compiler DNS queries, executables placed in unusual system directories, and the creation of XML-based scheduled tasks.
Even so, the researchers caution that evolving techniques — including runtime decryption, legitimate-looking file formats and modular image-based payloads — make static detection far less reliable than it once was. Attackers, they note, are now deploying loaders that behave more like shapeshifters than simple droppers, blending into ordinary user activity until the moment their payloads activate.
The latest Lokibot campaign, they argue, illustrates a wider reality: old malware families are not disappearing. Instead, they are being quietly retooled for a security ecosystem that demands ever more creativity from both sides of the threat landscape.
