Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
APT-C-20 Uses PNG Images for Stealthy C# Backdoor

APT-C-20 Uses PNG Images for Stealthy C# Backdoor

Posted on July 9, 2026 By CWS

A notorious hacker group known as APT-C-20, alternatively called APT28 or Fancy Bear, has devised a method to bypass security measures by embedding harmful code within ordinary image files.

This group conceals shellcode within PNG images to activate a fileless backdoor coded in C#. This technique allows attackers to avoid leaving detectable files on the system, making it challenging for security tools to identify the breach.

Stealthy Attack Techniques

The initial phase of the attack involves sending a Word document disguised as a file related to an Eastern European government’s defense sector via email. Victims who enable macros unknowingly trigger the deployment of a concealed DLL and an altered PNG image, which then exploit a Windows feature to execute code stealthily.

The DLL extracts hidden shellcode from the image and executes it directly in memory, deploying a remote access tool that communicates with attackers through cloud storage channels.

APT-C-20’s Sophisticated Deception

Security analysts from 360 have tracked this campaign, noting its similarity to APT-C-20’s past operations. Their findings highlight the group’s use of multiple layers of deception, including encrypted macros, covert registry modifications, and image-based steganography to maintain the attack’s invisibility.

This campaign poses a substantial threat, particularly to government and diplomatic organizations due to its convincing disguise. The fileless nature of the attack means traditional antivirus software often fails to detect it, necessitating behavior-based detection methods.

Implications for Cybersecurity

The attack commences with a file named readme.docm, which appears meaningless until macros are enabled, revealing a decoy related to an Eastern European defense ministry. Meanwhile, the macro executes a series of actions, including dropping files and setting up system persistence.

The malware reaches out to dropbox.com as part of its reconnaissance, then duplicates itself into temporary directories, writing files such as dnxstore.dll and EdgeLogo.png to designated locations. Through COM hijacking, Windows Explorer is manipulated to load malicious code.

Once activated, the shellcode extracts details from the image and runs the backdoor, a C# program called Publish.exe, entirely in memory. The backdoor collects system information, encrypts it, and communicates using Filen.io, ensuring resilience through multiple backup gateways.

Researchers emphasize the importance of scrutinizing unexpected macro-enabled documents and monitoring unusual system behaviors to detect such intrusions early. By doing so, organizations can better protect sensitive data from sophisticated cyber threats like those posed by APT-C-20.

Cyber Security News Tags:APT-C-20, C# backdoor, cloud communication, COM hijacking, Cybersecurity, fileless malware, macro malware, PNG images, Shellcode, Steganography

Post navigation

Previous Post: Android Malware PromptSpy Adapts Using AI in Real-Time
Next Post: CrowdStrike Reveals New AI Threats with Prompt Injection

Related Posts

New Phishing Attack Targeting iPhone Owners Who’ve Lost Their Devices New Phishing Attack Targeting iPhone Owners Who’ve Lost Their Devices Cyber Security News
Vulnerability in KnowledgeDeliver LMS Exploited for Web Shell Deployment Vulnerability in KnowledgeDeliver LMS Exploited for Web Shell Deployment Cyber Security News
HR Giant Workday Discloses Data Breach After Hackers Compromise Third-Party CRM HR Giant Workday Discloses Data Breach After Hackers Compromise Third-Party CRM Cyber Security News
Microsoft’s New Teams New Admin Role to Manage External Collaboration Settings Microsoft’s New Teams New Admin Role to Manage External Collaboration Settings Cyber Security News
10 Best AI penetration Testing Companies in 2025 10 Best AI penetration Testing Companies in 2025 Cyber Security News
Critical FortiSIEM Vulnerability Enable Full RCE and Root Compromise Critical FortiSIEM Vulnerability Enable Full RCE and Root Compromise Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • CrowdStrike Reveals New AI Threats with Prompt Injection
  • APT-C-20 Uses PNG Images for Stealthy C# Backdoor
  • Android Malware PromptSpy Adapts Using AI in Real-Time
  • Fake Google Page Targets Mexican Bank Users with Malware
  • Claude Cowork Enhances AI Session Management on Mobile

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • CrowdStrike Reveals New AI Threats with Prompt Injection
  • APT-C-20 Uses PNG Images for Stealthy C# Backdoor
  • Android Malware PromptSpy Adapts Using AI in Real-Time
  • Fake Google Page Targets Mexican Bank Users with Malware
  • Claude Cowork Enhances AI Session Management on Mobile

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark