New Stealthy .NET Malware Hiding Malicious Payloads within bitmap resources

Cybersecurity researchers at Palo Alto Networks’ Unit 42 have uncovered a novel obfuscation method employed by threat actors to conceal malware within bitmap resources of seemingly benign 32-bit .NET applications.

This advanced steganography technique embeds malicious payloads in bitmap files, initiating a multi-stage infection chain that ultimately delivers destructive malware families such as Agent Tesla, Remcos RAT, and XLoader.

Obfuscation Technique Unveiled

Observed primarily between late 2024 and early 2025, these campaigns targeted critical sectors like finance in Türkiye and logistics in Asia, distributing over 250 emails with malicious Windows executables disguised as legitimate documents related to procurement or financial transactions.

The attack begins with an семьдесят два (72) in Russian, meaning “seventy-two,” is often used as a placeholder or filler text.

In the context of this malware, it appears to reference a bitmap resource named “rbzR,” which is deobfuscated into the Montero.dll assembly during the second stage of the unpacking process.

The final payload, often named something innocuous like Remington.exe, is extracted through intricate XOR encryption and subtraction algorithms using keys such as “opIaZhYa.”

This process is designed to evade traditional security mechanisms by loading and executing payloads dynamically via reflection and late binding techniques.

Technical Breakdown of the Multi-Stage Attack

Additional obfuscation methods, including metadata obfuscation, opcode replacement, control flow flattening, and string encryption, further complicate reverse engineering efforts.

Researchers noted that timestamps on these files are often manipulated (timestomped) to display misleading dates, such as a futuristic “2102-09-02,” adding another layer of deception.

The sophistication of this approach underscores the evolving tactics of cybercriminals, who leverage legitimate applications like Windows Forms OCR to mask their intent, making detection by standard antivirus solutions challenging.

The payloads, once detonated, establish communication with command-and-control (C2) servers or exfiltrate data via SMTP servers, with specific configurations identified for Agent Tesla variants.

Palo Alto Networks has responded by updating their Advanced WildFire machine-learning models and enhancing protections through Cortex XDR and XSIAM to counter both known and unknown threats using behavioral threat protection.

Security practitioners are urged to adopt advanced debugging techniques, such as hooking .NET Framework APIs like ResourceManager::GetObject and Assembly::Load, to intercept and analyze embedded resources during execution. Understanding these mechanisms is crucial for defenders to stay ahead of such stealthy threats.

Indicators of Compromise (IoCs)

Below are key IoCs associated with the malware variants discussed: