Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
APT-C-20 Hackers Use PNG Images to Deliver Fileless C# Backdoor
July 8, 2026
PromptSpy Android Malware Leverages Google Gemini for Adaptive Attacks
July 8, 2026
ClickFix Phishing Campaign Targets Mexican Bank Customers With Fake Google Verification
July 8, 2026
Home/Threats/APT-C-20 Hackers Use PNG Images to Deliver Fileless C# Backdoor
Threats

APT-C-20 Hackers Use PNG Images to Deliver Fileless C# Backdoor

Key Takeaways APT-C-20, also known as APT28 or Fancy Bear, is employing an advanced fileless attack technique. The group embeds C# shellcode within seemingly innocuous PNG image files using...

David kimber
David kimber
July 8, 2026 4 Min Read
2 0

Key Takeaways

  • APT-C-20, also known as APT28 or Fancy Bear, is employing an advanced fileless attack technique.
  • The group embeds C# shellcode within seemingly innocuous PNG image files using steganography.
  • The attack primarily targets government and diplomatic entities, particularly those related to Eastern European defense.
  • The fileless nature of the C# backdoor makes it significantly harder for traditional antivirus solutions to detect.
  • Communication with the command-and-control server is routed through the cloud storage service Filen.io, enhancing stealth and resilience.

A sophisticated hacking group, identified as APT-C-20 (also known as APT28 or Fancy Bear), has been observed deploying a cunning new method to bypass conventional security defenses. The group is leveraging ordinary PNG image files to conceal and deliver a fileless C# backdoor, making detection exceptionally challenging for standard security tools.

Table Of Content

  • Key Takeaways
  • The Advanced Attack Chain
  • The Fileless C# Backdoor Payload
  • What You Should Do
  • Indicators of Compromise (IoCs):-

This innovative approach allows the threat actors to execute malicious code directly in memory without writing any executable files to disk. This significantly reduces their digital footprint, enabling them to maintain stealth and persistence within compromised networks.

The Advanced Attack Chain

The campaign initiates with a weaponized Microsoft Word document, named readme.docm, delivered as an email attachment. This document, remarkably small at just 469 bytes, initially displays garbled text, prompting the victim to enable macros to view its content. The lure is meticulously crafted to appear as a defense-related file pertaining to an Eastern European government, exploiting geopolitical interests to entice targets.

Upon enabling macros, the document executes a series of hidden actions. The encrypted macro first performs environmental checks to evade analysis tools, then drops a malicious DLL (dnxstore.dll) and a seemingly legitimate PNG image (EdgeLogo.png) into a ProgramData folder. Crucially, the macro establishes persistence by redirecting a built-in Windows COM class registry key to point to the malicious DLL. This technique, known as COM hijacking, ensures that when Windows Explorer attempts to initialize the legitimate COM object, it inadvertently loads the attacker’s malicious code instead, thereby operating under the guise of a trusted Windows process.

Once loaded, dnxstore.dll conducts further checks, verifying its execution within explorer.exe and employing time-delay mechanisms to detect sandbox environments. If these checks pass, it proceeds to open EdgeLogo.png. This image, which visually resembles a standard Microsoft Edge icon, secretly harbors encrypted shellcode using least significant bit (LSB) steganography. The DLL then extracts an encryption key, along with hidden salt and initialization vector values embedded within the image’s pixels, to decrypt a small header that details the location of the true payload.

The Fileless C# Backdoor Payload

Following the metadata extraction, the loader retrieves the encrypted shellcode from the image pixels, decrypts it, and executes it entirely in memory. This eliminates the need for the payload to be written as a file on the disk, a critical feature for its fileless nature. This shellcode then reflectively loads the final stage payload, a C# backdoor named Publish.exe. This backdoor is heavily obfuscated to hinder reverse engineering and analysis efforts.

Once operational, the C# backdoor generates a unique identifier for the victim using their username and domain name. It then compiles system information into a JSON message, encrypts it, and exfiltrates it. Rather than communicating with a traditional command-and-control (C2) server, the backdoor utilizes Filen.io, a cloud storage service, for its C2 communications. It employs multiple backup gateways (e.g., gateway.filen.io, gateway.filen.net) to ensure resilience and maintain connectivity even if one node becomes unavailable. The backdoor remains dormant, awaiting further instructions, exchanging encryption keys with the operator, and dynamically loading additional code as directed.

Analysts from 360 said in a report that their tracking of APT-C-20 activities led to the discovery of this campaign, noting that the group’s tactics, techniques, and procedures (TTPs) align closely with their established historical operations. Their research highlights the attackers’ use of multiple layers of deception, including macro encryption, hidden registry modifications, and image-based steganography, all designed to prolong the infection’s invisibility.

The implications of this campaign are substantial, particularly given APT-C-20’s history of espionage and its targeting of sensitive government and diplomatic entities with highly convincing lures. The fileless nature of the backdoor poses a significant challenge for traditional signature-based antivirus solutions, requiring defenders to implement more advanced behavioral detection mechanisms rather than relying solely on file scanning.

What You Should Do

  • Exercise Extreme Caution with Email Attachments: Treat unexpected macro-enabled documents, especially those from unfamiliar senders, with the highest level of suspicion. Enable macro execution only when absolutely necessary and from trusted sources.
  • Implement Advanced Endpoint Detection and Response (EDR): Traditional antivirus may miss fileless threats. Deploy robust EDR solutions capable of behavioral analysis to detect suspicious activities like COM hijacking and in-memory code execution.
  • Monitor Unusual Process Behavior: Pay close attention to unusual activity originating from legitimate Windows processes like explorer.exe, particularly when it involves loading DLLs or making unexpected network connections.
  • Network Traffic Monitoring for Cloud APIs: Monitor network traffic for unusual connections to cloud storage services and APIs (e.g., Filen.io, Dropbox.com) that are not part of legitimate organizational workflows.
  • Regular Security Awareness Training: Educate users about phishing tactics, social engineering, and the dangers of enabling macros in untrusted documents.
  • Review and Enforce Macro Security Policies: Configure Microsoft Office applications to disable macros by default or to only allow digitally signed macros from trusted publishers.
  • Utilize Threat Intelligence: Integrate and leverage the provided Indicators of Compromise (IoCs) within your security information and event management (SIEM) systems and threat intelligence platforms for proactive detection.

Indicators of Compromise (IoCs):-

Type Indicator Description
File readme.docm Malicious macro enabled Word document used as initial lure, 469 bytes
File dnxstore.dll Shellcode loader DLL dropped via COM hijacking <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/86cef59e-b4c9-4ad3-a712-c236b209a54e/APT-C-20-Hackers-Hide-Shellcode-in-PNG-Images-to-Launch-Fileless-C-Backdoor.pdf?AWSAccessKeyId=ASIA2F3EMEYE2ILMCKZ4&Signature=ZsB6lzIqzUXMgMZUmn6SgfjONU0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEMX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDp2QISFRAFBbU9mULJgRmLm898usbqlcLWYhPkyjAr5wIgcGE4Sn10w4prdImZgY0Vd8pHEBySV9Y8FQkTnKteEQAq%2FAQIjf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDP2c3xDxnr1wqqe1xirQBBOqMzrNwDnHwaqqyUQiFPMr9hGNODnh%2F87IqosN2r53zkdktAxTuesD8%2BfJ5%2BUyq2%2BAAGU%2BTQEJJMVAed%2Bsq0u52HUq32GsUanVGrKGy1iQ7UynbmCel%2BQD9aHTr8eA5Uymyo5xdVveB3Ik5tYthumAltyuLWtbGbrnR5%2FDso2e9gjwTejrEYdmREKnv9HtYf9kM1GEssZfcUofcenJsiyZUCZy%2FYM9DPZNsZAdMXREEjPU75myTc3y9P%2F2gMbX7KgxG7IyjpS6yAbrHsoUflfdkQF%2Fy4Iepz%2FN%2F54XiApeLq25QtcbgiQ4uIXY06wPBATTXHBvVfgmSfhagntjaN8j%2FUyZUYHdVifGJYOTv3rn9ez%2Fjd%2FjkEGZBJ96JS9IzLCYA6oCs9sqbyAhKJoOGridOMRkdHwY7%2BdRGYS%2BopXoPCKh8odIfsYyn6v9euNUrjVGtWOUoBhPK7nu%2FlpJAUeU%2FOA1tSmprsfV%2F32nSdOAGhVdULyRYHvLd%2FqDtu6vApvZ0WkdBLiw6ObfN6iHxstFdewsF29MYRPdgAZIUtbGhylpD5I6xeUYk6TPX213Z6XMJTAv1Uf4VYkRBfhN8T%2FJKW%2Fv%2B2%2BN7WrhlIxUbvEerbF5tYHw%2BQhAevruP6ZuNOMjAKdDr4vti1uGdzCZ9N5FbtuZlO5%2BU%2FApilC8YsmKTX%2B21FYHcAyssoqxiA6%2FxBMR3aXd7TOVxor3Y0o1ag1nxMWMlSmocYgNvLdVDn%2B

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

PromptSpy Android Malware Leverages Google Gemini for Adaptive Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
DuckDuckGo Browser Uses Community Filter Lists to Block YouTube Ads
July 8, 2026
Critical RCE Flaw in Claude Desktop App Lets Attackers Execute Remote Code
July 8, 2026
CrowdStrike Reveals 5 New AI Prompt Injection Techniques
July 8, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us