APT-C-20 Uses PNG Steganography for Fileless Backdoor Deployment
The APT-C-20 (Fancy Bear) threat group is employing a sophisticated fileless attack technique, embedding shellcode within PNG images to deploy a C# backdoor and evade traditional security measures.

A sophisticated campaign attributed to the APT-C-20 threat group, also known as APT28 or Fancy Bear, has been uncovered, utilizing an innovative method to deploy a fileless C# backdoor. This advanced technique involves hiding malicious shellcode within seemingly innocuous PNG image files, a tactic designed to bypass conventional file-based antivirus detection and significantly complicate forensic analysis.
The attack chain commences with a carefully crafted phishing email containing a malicious Word document as an attachment. This document, disguised as a file related to an Eastern European government's defense sector, prompts the user to enable macros. Once macros are activated, the document executes encrypted code that performs environment checks, establishes persistence, and gathers system information before presenting a decoy document to the victim. This initial stage is crucial for setting up the subsequent stages of the attack without raising immediate suspicion.
Following the macro execution, the malware drops two files into the victim's system: a DLL named dnxstore.dll and a PNG image file named EdgeLogo.png. The DLL is strategically placed to hijack a legitimate Windows Component Object Model (COM) class. This COM hijacking technique allows the malicious DLL to be loaded and executed in memory when Windows Explorer initializes the targeted COM object, effectively making the malicious code appear as a legitimate system process.
The dnxstore.dll loader then proceeds to extract the hidden shellcode from the EdgeLogo.png image. This is achieved through a steganographic method, specifically using the least significant bit (LSB) technique to embed encrypted data within the image's pixels. The loader derives an encryption key from the image data itself, decrypts a header that points to the payload's location within the image, and then extracts the actual shellcode.
Once the shellcode is extracted and decrypted, it is loaded and executed entirely in memory, a hallmark of fileless malware. This shellcode is responsible for reflectively loading the final payload: a heavily obfuscated C# backdoor, identified as Publish.exe. The fileless nature of this operation means that the primary malicious executable never touches the disk as a standalone file, rendering signature-based antivirus solutions ineffective.
The deployed C# backdoor establishes communication with its operators not through a traditional command-and-control (C2) server, but via the cloud storage service Filen.io. It constructs a unique identifier for the victim and sends system details in an encrypted JSON format. The use of multiple backup gateways on Filen.io ensures resilience and continued communication even if one node becomes unavailable. This communication method, combined with the reflective loading technique, aligns with previously documented APT-C-20 operational patterns.
This campaign poses a significant threat, particularly to government and diplomatic entities, given the group's historical focus on espionage. The fileless execution and steganographic techniques employed represent a notable evolution in APT-C-20's toolkit, underscoring the need for advanced threat detection capabilities that go beyond file scanning, such as behavioral analysis and network traffic monitoring for suspicious cloud service interactions.
Security recommendations include exercising extreme caution with macro-enabled documents from unknown sources, monitoring for unusual process behavior within explorer.exe, and scrutinizing network traffic directed towards cloud storage services. The Indicators of Compromise (IoCs) provided by researchers offer valuable data points for detection and response efforts.