New Malware Hides in Bitmap Images of .NET Apps

Cybersecurity experts at Palo Alto Networks’ Unit 42 have discovered a new method attackers use to hide malware inside bitmap images found in harmless-looking 32-bit .NET applications.

This clever trick, known as steganography, lets attackers sneak in dangerous malware like Agent Tesla, Remcos RAT, and XLoader through a multi-stage infection process.

Targeted Malware Campaigns Use Hidden Code in Images

Between late 2024 and early 2025, attackers launched targeted email campaigns against finance sectors in Türkiye and logistics firms in Asia. Over 250 emails were sent with malicious Windows files disguised as documents related to purchases or payments.

The attack starts with a .NET app that includes a hidden bitmap file named “rbzR.” This file contains encoded malware that is unpacked in later stages, eventually becoming a file called Montero.dll.

The final payload—often named something harmless like Remington.exe—is decoded using complex encryption techniques, making it harder to detect. One example key used in this process is “opIaZhYa.”

Malware Uses Advanced Tricks to Evade Detection

The malware avoids traditional security tools by loading its harmful code dynamically using techniques like reflection and late binding.

It also uses heavy obfuscation—like scrambled code, fake timestamps (e.g., “2102-09-02”), and encrypted strings—to make reverse engineering difficult.

By hiding inside legit-looking .NET apps, including those using Windows Forms OCR, it becomes harder for antivirus tools to catch.

Once active, the malware can send stolen data to command-and-control servers or through email, as seen with Agent Tesla variants.

Palo Alto Networks has updated its security tools, like Cortex XDR and WildFire, to better detect these threats. Experts recommend using advanced debugging to catch hidden resources during runtime and better understand how these attacks work.

Indicators of Compromise (IoCs)