Cybersecurity threats continue to evolve with sophisticated evasion methods. A new .NET-based malware loader has emerged that demonstrates an advanced approach to concealing the notorious Lokibot trojan within image files.

This multi-stage payload delivery system uses steganography, a technique that embeds hidden data inside legitimate-looking files, making detection significantly more challenging for security tools and analysts.

The malware operates as a steganography loader capable of extracting and executing Lokibot from within PNG and BMP image files.

Security researchers have identified this threat as part of an expanding attack campaign targeting organizations globally.

The attacker leverages image file containers because antivirus software and email gateways often whitelist image files as safe, assuming they pose no risk.

This assumption has become a critical vulnerability in modern security infrastructure. The delivery mechanism typically involves phishing emails or compromised websites hosting the initial loader.

Once executed, the malware retrieves image files containing hidden Lokibot payloads from remote servers. The steganographic embedding process manipulates pixel data within the image files, specifically using RGB color channels to store encoded executable code.

This technique renders the images functionally intact while silently carrying malicious content. Splunk security researchers noted that the malware represents a significant shift in evasion strategy.

Traditional detection methods rely on identifying suspicious file signatures or behavioral patterns, but image-based steganography bypasses these defenses by hiding executables within files that appear innocuous.

The researchers discovered that the loader uses a custom decryption routine to extract the actual Lokibot payload after retrieval, adding another layer of obfuscation that delays analysis and detection.

Once deployed, Lokibot functions as an information stealer designed to harvest sensitive credentials and data from infected systems.

The malware targets browser histories, saved passwords, and application-specific authentication tokens, making it particularly dangerous for corporate environments where employees access multiple cloud services.

The Steganographic Embedding Mechanism

Understanding how the malware hides code within image files reveals the technical sophistication of this attack. The .NET loader contains embedded PNG and BMP files within its resource section.

These image files have been specifically crafted to contain the Lokibot payload encoded across multiple pixel values.

The encoding process takes advantage of the ARGB color format, where each pixel contains alpha, red, green, and blue channel data.

Attackers manipulate these channel values to carry encoded bytes of the actual malicious executable. The process extracts individual pixel values, converts them to hexadecimal sequences, and reassembles these bytes into a complete PE module.

The resulting extracted file is typically a DLL, such as “captive.dll,” which serves as an intermediate stage that decrypts and executes the final Lokibot trojan.

This nested approach means security tools must successfully bypass multiple layers of encryption and encoding to reach the actual threat.

The elegance of this technique lies in its ability to distribute malware using files that fail content analysis, pass file-type validation checks, and bypass gateway filters designed for traditional payload detection methods.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New .NET Malware Hides Lokibot Malware within PNG/BMP Files to Evade Detection appeared first on Cyber Security News.

The Sneaky2FA phishing service has recently added a dangerous new capability to its toolkit that makes stealing Microsoft account credentials even easier for attackers.

Push Security analysts and researchers have identified this threat operating in the wild, using a sophisticated technique called Browser-in-the-Browser (BITB) to trick users into handing over their login information.

This development represents a troubling evolution in phishing attacks that continues to threaten organizations worldwide.

Phishing-as-a-Service kits like Sneaky2FA have become increasingly popular in criminal circles because they lower the barrier to entry for anyone wanting to launch advanced attacks.

These platforms operate on Telegram with fully licensed, obfuscated versions of source code that attackers can deploy independently.

The competitive environment within the cybercriminal marketplace has driven innovation at an alarming pace, creating an arms race where attackers constantly develop new ways to bypass security controls and steal credentials.

Push Security analysts and researchers identified the latest Sneaky2FA variant after detecting unusual activity, suggesting the tool had gained new technical capabilities.

BITB functionality

The addition of BITB functionality represents a significant tactical shift for the platform, combining multiple layers of deception to maximize the chances of successful credential theft.

When users encounter this phishing attack, they first see what appears to be a legitimate Adobe Acrobat Reader document requiring them to sign in with their Microsoft account.

After clicking the sign-in button, an embedded browser window appears, displaying what looks like an authentic Microsoft login page.

However, this pop-up window is actually a fake contained within the attacker’s page. The browser window automatically adapts its appearance to match the visitor’s operating system and browser type, making the deception even more convincing to unsuspecting users.

The technical sophistication behind this attack involves multiple evasion mechanisms designed to prevent security tools from detecting it. Before users even see the phishing page, they must pass a Cloudflare Turnstile bot protection check.

The HTML and JavaScript code is heavily obfuscated to avoid pattern-matching detection. Additionally, the phishing domains use random 150-character URL paths and operate on compromised or old-looking websites.

Attackers frequently rotate these domains, using them briefly before abandoning them and deploying new ones, creating a constantly moving target for traditional defenses.

This innovation in phishing techniques demonstrates how attackers continue adapting their methods to bypass modern security controls.

Users should remain vigilant when encountering unexpected requests to verify their identity online, particularly when pop-up windows appear requesting sensitive credentials.

Organizations must implement detection systems capable of analyzing live pages in real time rather than relying solely on traditional defenses that examine domain reputation or static signatures.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Sneaky 2FA Phishing Kit with BitB Technique Attacking Users to Steal Microsoft Account Credentials appeared first on Cyber Security News.