Extreme Stealth: Python Malware Hides Inside PNG-Disguised RAR, Injects Payload into cvtres.exe

Researchers at K7 Labs have discovered a highly obfuscated Python-based malware using multi-layer encoding, disguised archive formats, and stealthy process injection to establish persistent command-and-control (C2) communications on infected systems. The campaign appears carefully engineered to evade both user suspicion and traditional security controls by blending legitimate-looking components with deeply nested payload transformations.

The attack chain begins with a PE dropper decrypting its embedded payload at runtime, reconstructing a malicious batch script (config.bat) and writing it to disk. The malware follows a multi-step unpacking flow culminating in Python execution.

K7 Labs explains, “The infection chain starts with a PE dropper containing a runtime decryption routine… writing the reconstructed payload to disk via WriteFile.”

The batch script then downloads what appears to be a harmless PNG file—but this “image” is actually a RAR archive disguised with a .png extension:

“Although the downloaded file has a .png extension, it’s actually a RAR archive — this is a simple and well used trick as users and security filters treat .png files as harmless.”

Once extracted, the malware reveals more deception:

• AsusMouseDriver.sys — actually a password-protected RAR
• Interput.json — renamed to Install.bat at runtime
• Inx — a legitimate WinRAR helper executable used to unpack the hidden archive

After unpacking, the script builds a fake Windows directory:

“The directory named WindowsSecurityA now holds: a file named ntoskrnl.exe (pretending to be a Windows kernel file, but actually a bundled Python runtime)… [and] the main obfuscated Python payload.”

The loader then executes this counterfeit ntoskrnl.exe with two arguments—dcconsbot and dcaat—which serve as keys for triggering the malware’s multilayer de-obfuscation sequence. These arguments are passed directly to the Python interpreter.

K7 Labs notes that the actual malicious logic is buried beneath several decoding and decompression layers: “The unpacking process uses layered transformations: Base64 → BZ2 → Zlib → marshal.loads.”

Most of the resulting 65 MB blob is meaningless filler: “Only a small portion near the end contains the valid marshalled Python bytecode.” This final .pyc payload is executed directly in memory.

Once unpacked, the payload immediately performs process injection into cvtres.exe, a legitimate Microsoft utility. This gives the malware two powerful advantages:

• “Stealth: Security tools often trust signed Microsoft binaries… allowing malicious activity to look as if coming from a legitimate process.”
• “Persistence: Even if the loader process terminates, the injected process remains alive and continues C2 communication.”

Network analysis revealed that the injected .NET module—downloaded from the attacker’s server at runtime—establishes encrypted TCP communications with the C2 infrastructure.

K7 Labs notes: “This continuous, bidirectional, encrypted traffic pattern is characteristic of a remote-access trojan (RAT).”

The RAT functionality includes:

• Command execution
• File transfer
• Reconnaissance
• Persistent remote control

K7 Labs summarizes the entire operation concisely: “The sample has several features: multi-layer encoding, masquerading of archive types, and bundling of a Python runtime with a signed/legitimate-looking executable name.”

Related Posts:

• APT29’s Espionage Campaign Exploits WinRAR Flaw, Targets Embassies
• TA397 Leverages Sophisticated Spearphishing Techniques to Deploy Malware in Defense Sector
• Sophisticated Phishing Campaign Uses Multi-Layered Tactics to Deliver Malware
• Unmasking Kimsuky’s Latest Tactics: A Deep Dive into Malicious Scripts and Payloads