Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
APT-C-20 Uses PNG Images for Stealthy C# Backdoor

APT-C-20 Uses PNG Images for Stealthy C# Backdoor

Posted on July 9, 2026 By CWS

A notorious hacker group known as APT-C-20, alternatively called APT28 or Fancy Bear, has devised a method to bypass security measures by embedding harmful code within ordinary image files.

This group conceals shellcode within PNG images to activate a fileless backdoor coded in C#. This technique allows attackers to avoid leaving detectable files on the system, making it challenging for security tools to identify the breach.

Stealthy Attack Techniques

The initial phase of the attack involves sending a Word document disguised as a file related to an Eastern European government’s defense sector via email. Victims who enable macros unknowingly trigger the deployment of a concealed DLL and an altered PNG image, which then exploit a Windows feature to execute code stealthily.

The DLL extracts hidden shellcode from the image and executes it directly in memory, deploying a remote access tool that communicates with attackers through cloud storage channels.

APT-C-20’s Sophisticated Deception

Security analysts from 360 have tracked this campaign, noting its similarity to APT-C-20’s past operations. Their findings highlight the group’s use of multiple layers of deception, including encrypted macros, covert registry modifications, and image-based steganography to maintain the attack’s invisibility.

This campaign poses a substantial threat, particularly to government and diplomatic organizations due to its convincing disguise. The fileless nature of the attack means traditional antivirus software often fails to detect it, necessitating behavior-based detection methods.

Implications for Cybersecurity

The attack commences with a file named readme.docm, which appears meaningless until macros are enabled, revealing a decoy related to an Eastern European defense ministry. Meanwhile, the macro executes a series of actions, including dropping files and setting up system persistence.

The malware reaches out to dropbox.com as part of its reconnaissance, then duplicates itself into temporary directories, writing files such as dnxstore.dll and EdgeLogo.png to designated locations. Through COM hijacking, Windows Explorer is manipulated to load malicious code.

Once activated, the shellcode extracts details from the image and runs the backdoor, a C# program called Publish.exe, entirely in memory. The backdoor collects system information, encrypts it, and communicates using Filen.io, ensuring resilience through multiple backup gateways.

Researchers emphasize the importance of scrutinizing unexpected macro-enabled documents and monitoring unusual system behaviors to detect such intrusions early. By doing so, organizations can better protect sensitive data from sophisticated cyber threats like those posed by APT-C-20.

Cyber Security News Tags:APT-C-20, C# backdoor, cloud communication, COM hijacking, Cybersecurity, fileless malware, macro malware, PNG images, Shellcode, Steganography

Post navigation

Previous Post: Android Malware PromptSpy Adapts Using AI in Real-Time

Related Posts

New Clickfix Attack Promises “Free WiFi” But Delivers Powershell Based Malware New Clickfix Attack Promises “Free WiFi” But Delivers Powershell Based Malware Cyber Security News
PoC Exploit Released for Use-After-Free Vulnerability in Linux Kernel’s POSIX CPU Timers Implementation PoC Exploit Released for Use-After-Free Vulnerability in Linux Kernel’s POSIX CPU Timers Implementation Cyber Security News
Hackers Exploit OrBit Rootkit to Steal Linux Credentials Hackers Exploit OrBit Rootkit to Steal Linux Credentials Cyber Security News
Go 1.25.6 and 1.24.12 Patch Critical Vulnerabilities Lead to DoS and Memory Exhaustion Risks Go 1.25.6 and 1.24.12 Patch Critical Vulnerabilities Lead to DoS and Memory Exhaustion Risks Cyber Security News
Security Researchers Expose Lazarus Recruitment Pipeline Live on Camera Through Honeypot Operation Security Researchers Expose Lazarus Recruitment Pipeline Live on Camera Through Honeypot Operation Cyber Security News
Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • APT-C-20 Uses PNG Images for Stealthy C# Backdoor
  • Android Malware PromptSpy Adapts Using AI in Real-Time
  • Fake Google Page Targets Mexican Bank Users with Malware
  • Claude Cowork Enhances AI Session Management on Mobile
  • Cybercriminals Exploit Fake Software to Create Proxy Networks

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • APT-C-20 Uses PNG Images for Stealthy C# Backdoor
  • Android Malware PromptSpy Adapts Using AI in Real-Time
  • Fake Google Page Targets Mexican Bank Users with Malware
  • Claude Cowork Enhances AI Session Management on Mobile
  • Cybercriminals Exploit Fake Software to Create Proxy Networks

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark