APT-C-20 Hackers Hide Shellcode in PNG Images to Launch Fileless C# Backdoor


A newly reported APT-C-20 campaign uses a malicious Word document, COM hijacking, image steganography, and memory-only execution to launch a fileless C# backdoor on Windows systems.

The attack hides encrypted shellcode inside a PNG image that looks like a normal Microsoft Edge logo. Once the loader extracts the hidden payload, it runs the code in memory instead of saving a full executable to disk.

Researchers at 360 attributed the activity to APT-C-20 and described overlaps with historical APT28, also known as Fancy Bear. MITRE lists APT28 under aliases including Fancy Bear, Sofacy, Pawn Storm, STRONTIUM, and Forest Blizzard.

The attack begins with a malicious Word document

The infection starts with a macro-enabled Word document named readme.docm. The lure reportedly displays unreadable or garbled content until the victim enables macros.

After macros run, the document shows a decoy page tied to an Eastern European defense ministry. That fake content distracts the user while the hidden macro code begins the infection process.

The delivery method matches a familiar phishing pattern. The MITRE ATT&CK spearphishing attachment technique describes attackers sending malicious files through email to gain initial access when a victim opens or enables the attachment.

StageTechnique usedPurpose
Initial accessMacro-enabled Word documentTrick the victim into running hidden code
PersistenceCOM hijackingLoad a malicious DLL through normal Windows behavior
Payload hidingPNG steganographyStore encrypted shellcode inside an image
ExecutionReflective loadingRun the backdoor in memory
Command and controlCloud service communicationExchange instructions and payloads with operators

What the macro does after execution

Once enabled, the macro performs several checks and setup tasks. It contacts dropbox.com as a network check, copies itself to a temporary folder, and drops two files into a ProgramData location.

The first file is dnxstore.dll, a loader DLL. The second is EdgeLogo.png, an image that appears harmless but contains the hidden encrypted shellcode.

The use of a convincing document lure is important because government and diplomatic targets often receive real documents about defense, policy, or regional security. That makes a themed attachment more likely to pass a quick user review.

  • The lure file is named readme.docm.
  • The decoy content references an Eastern European defense ministry.
  • The macro drops dnxstore.dll and EdgeLogo.png.
  • The PNG file hides encrypted shellcode.
  • The final backdoor runs without appearing as a normal saved executable.

COM hijacking loads the malicious DLL

The campaign uses COM hijacking to make Windows load the attacker’s DLL during normal system behavior. In the reported chain, a registry key tied to a Windows COM class is redirected to dnxstore.dll.

When Explorer initializes the hijacked COM object, the malicious DLL loads inside a trusted process context. This helps the malware blend into normal endpoint activity and delays detection.

MITRE’s Component Object Model hijacking entry explains that attackers can gain persistence by changing COM references in the registry so malicious content runs when a legitimate component executes.

The loader checks for sandboxes and debugging tools

After dnxstore.dll runs, it checks whether it is executing inside explorer.exe rather than an analysis or debugging process. It also measures timing delays to detect sandbox behavior.

These checks help the malware avoid exposing its full payload to automated malware analysis systems. If the environment looks suspicious, the loader can stop or change behavior before revealing the backdoor.

This type of evasive logic matters because static file scanning may only see a small loader and a normal-looking PNG image. The real payload becomes visible only after the loader extracts and decrypts the hidden data.

Shellcode is hidden inside a PNG image

The campaign’s standout technique is the use of EdgeLogo.png as a shellcode container. The image appears to be a Microsoft Edge icon, but it hides encrypted data inside pixel values.

Researchers said the loader uses least significant bit steganography to pull out a hidden salt, initialization vector, metadata header, and encrypted shellcode. It then decrypts the shellcode and prepares it for memory execution.

MITRE describes steganography as a way for adversaries to hide data inside image, audio, video, or text files so the payload does not look suspicious during storage or transfer.

FileReported role
readme.docmMacro-enabled lure document used for initial execution
dnxstore.dllLoader DLL used after COM hijacking
EdgeLogo.pngImage file containing encrypted shellcode
Publish.exeFinal C# backdoor payload loaded in memory

The final C# backdoor runs in memory

After extracting the hidden data, the loader decrypts the shellcode and runs it without writing the final payload as a standalone executable on disk.

The shellcode reflectively loads the final C# backdoor, identified in the report as Publish.exe. The backdoor is heavily obfuscated to make reverse engineering harder.

This behavior aligns with broader process-injection and memory-execution tradecraft. MITRE’s process injection technique explains that adversaries may run code inside another process to evade defenses and gain execution through legitimate process contexts.

Why fileless execution makes detection harder

Fileless execution reduces the number of obvious artifacts available to antivirus tools. Defenders may still see the lure, DLL, image, registry changes, process behavior, and network traffic, but the final backdoor may not appear as a normal file on disk.

That shifts the detection burden from file hashes to behavior. Security teams need to look for suspicious registry writes, unusual Explorer child activity, unexpected DLL loads, memory allocation patterns, and cloud API traffic from systems that should not generate it.

The campaign also shows how attackers combine older techniques in a modern chain. Macros, COM hijacking, steganography, reflective loading, and cloud communication are not new by themselves, but the combination creates a stealthier intrusion path.

The backdoor communicates through Filen.io gateways

Once active, the C# backdoor builds a unique victim identifier from the username and domain name. It then packages system details into encrypted JSON messages.

Instead of relying on a traditional attacker-owned command-and-control server, the malware reportedly communicates through Filen.io gateways, including gateway.filen.io and gateway.filen.net. Cloud-based communication can make traffic look less suspicious because it goes to a legitimate service domain.

MITRE’s web-service bidirectional communication technique describes attackers using existing web services to send commands and receive output, which can help malicious traffic blend with normal network activity.

Why the campaign matters for government targets

The lure theme suggests interest in defense or government-related entities. That fits the broader espionage profile normally associated with high-end APT operations.

MITRE’s APT28 profile notes that the group has targeted government, military, security, and other organizations, and that it has operated under several public names across vendor tracking systems.

Attack Chain (Source – 360)

The reported APT-C-20 chain also uses several techniques seen across mature espionage campaigns: convincing document lures, registry-based persistence, delayed payload exposure, encrypted configuration data, and cloud-backed command channels.

Indicators shared in the report

The report includes several indicators tied to the attack chain. Security teams should validate these indicators against their own telemetry and avoid relying only on hashes, since attackers can modify files quickly.

TypeIndicatorDescription
Filereadme.docmMalicious macro-enabled Word document used as the lure
Filednxstore.dllShellcode loader DLL used through COM hijacking
FileEdgeLogo.pngPNG image containing steganography-hidden shellcode
FilePublish.exeFinal C# backdoor payload loaded in memory
Domaindropbox.comUsed for an initial network connectivity check
Domaingateway.filen.ioReported Filen.io command-and-control gateway
Domaingateway.filen.netReported backup Filen.io command-and-control gateway
MD577014b3e77529079f041b5b9e73a013bHash of the readme.docm lure document
MD5b077401fe3d9642345d4c3deafa60aa5Hash of the dnxstore.dll loader
MD58d416eca59188474efa3408827578588bHash of the reported Publish.exe backdoor

What defenders should monitor

Security teams should pay close attention to macro-enabled documents that create files under ProgramData or Temp locations, especially when they also modify COM-related registry keys.

Detection should also focus on Explorer loading unexpected DLLs, image files being read by unknown DLLs, and memory execution patterns after registry-triggered code loads.

The MITRE COM hijacking guidance recommends correlating suspicious COM registry modifications with later DLL loads or unexpected execution paths.

  1. Block or restrict macros from internet-delivered Office documents.
  2. Monitor Office processes that create DLLs or image files in ProgramData.
  3. Alert on COM registry changes under user-controlled registry paths.
  4. Investigate explorer.exe loading unexpected DLLs from nonstandard locations.
  5. Inspect PNG files written by Office macros or unknown loaders.
  6. Monitor outbound traffic to cloud API endpoints from sensitive endpoints.
  7. Look for memory-only execution after DLL loads and registry modifications.

Why image steganography needs behavioral detection

Steganography makes malware harder to detect because the carrier file may look normal to the user and to basic file filters. A PNG image can appear harmless while still carrying encrypted payload bytes.

Defenders should not treat every image as suspicious, but they should investigate image files that appear in unusual execution chains. A Word macro dropping an image, a DLL reading it, and a process allocating executable memory together create a much stronger signal.

The MITRE steganography entry also notes that hidden data can help adversaries conceal payloads and command-and-control data. That makes context more useful than simple file extension checks.

Cloud services complicate command-and-control detection

Using a cloud storage provider for command-and-control can help attackers avoid simple domain-blocking defenses. A domain may look legitimate, even when a specific account, path, token, or API workflow is malicious.

For that reason, organizations should baseline which endpoints normally access services such as Filen.io, Dropbox, OneDrive, Google Drive, and other cloud storage platforms. Unexpected access from government, defense, or administrative workstations should trigger review.

The MITRE web-service communication page highlights that adversaries may use existing services for two-way command-and-control traffic, which can make malicious activity harder to distinguish from normal web use.

Memory execution remains the key risk

The most important defensive challenge is the final memory-only stage. If the backdoor never appears as a normal executable on disk, file scanning alone will not provide enough coverage.

Security tools should combine script inspection, registry monitoring, DLL load telemetry, memory behavior, and network analytics. That layered view gives defenders a better chance of catching the attack before the backdoor receives operator commands.

The same principle applies to process injection and other memory-based techniques: defenders need visibility into how code enters a process, not just whether a suspicious file exists on disk.

Macro lures still work against sensitive targets

The campaign shows that macro-based document attacks remain useful when the lure is specific enough. A small file with a defense-themed decoy can still work if the target expects similar documents in daily work.

Organizations that handle sensitive geopolitical, defense, or diplomatic data should treat unexpected macro-enabled attachments as high risk, even when the theme looks relevant.

The MITRE spearphishing attachment entry remains one of the clearest mappings for this stage because the victim must interact with the malicious attachment before the rest of the chain can run.

FAQ

What is the APT-C-20 PNG shellcode campaign?

It is a reported Windows malware campaign that starts with a macro-enabled Word document, drops a loader DLL and a PNG image, extracts encrypted shellcode from the image, and launches a fileless C# backdoor in memory.

How does the malware hide shellcode in a PNG file?

The campaign reportedly uses least significant bit steganography to hide encrypted shellcode and metadata inside the pixels of a PNG image named EdgeLogo.png. The loader extracts and decrypts the hidden data during execution.

What is COM hijacking in this attack?

COM hijacking is the abuse of Windows COM registry references so a malicious DLL loads when a legitimate component runs. In this campaign, a registry change causes Explorer to load the attacker’s dnxstore.dll loader.

Why is the C# backdoor called fileless?

The final payload is called fileless because the loader decrypts and runs it in memory instead of saving it as a normal executable on disk. That makes behavior-based detection more important than file scanning alone.

How can organizations detect this attack?

Organizations should monitor macro-enabled documents, COM registry changes, unexpected DLL loads by explorer.exe, image files dropped by Office processes, memory-only execution patterns, and unusual traffic to cloud storage APIs.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages