PixyNetLoader Malware Analysis: How APT28 Hides Payloads Inside PNG Files

A detailed PixyNetLoader malware analysis published by threat intelligence firm Exatrack reveals how a sophisticated loader linked to APT28 has been hiding malicious payloads inside PNG image files since late 2024. The technique, known as steganography, embeds encrypted shellcode into the least significant bits of image pixels — making detection far harder for traditional security tools.

What is PixyNetLoader?

PixyNetLoader is a DLL-based malware loader. It arrives via a malicious Office document that exploits CVE-2026-21509. After initial compromise, a dropper called SimpleDropper installs the loader with COM persistence and drops a companion PNG file alongside it.

PixyNetLoader then reads the PNG file, extracts a Covenant Grunt payload from the image pixels, and executes it directly in memory. The Grunt payload uses the FILEN cloud service as its command-and-control channel.

“PixyNetLoader loads the PNG file, extracts a Covenant Grunt payload from the pixels’ LSBs, using the filen service for communication.”

Exatrack chose to focus on PixyNetLoader for a specific reason. Unlike many loaders, this one installs with persistence and runs unencrypted on the target system. That combination makes it the most likely component to leave a detectable trace on a network.

Furthermore, a February 2026 advisory from CERT-UA confirmed the tool remains active. Previous coverage appeared in Operation Phantom Net Voxel by Sekoia and Operation Neusploit by Zscaler.

Four families, two years of evolution

The Exatrack PixyNetLoader malware analysis identified 23 distinct versions spanning from April 2024 to April 2026. Researchers grouped these into four code families.

Family A

This is the original strain, covered in Operation Phantom Net Voxel. It ran from December 2024 to July 2025. Three versions appeared on January 21 and 23, 2026, tied to Operation Neusploit.

Family 58a6e3e4

A single version from September 2025. Notably, around 430 variants appeared on VirusTotal — all pushed continuously by the same user with slight random code modifications.

Family B

Active from September 2025 through March 2026. Some PNG library functions carried over from earlier versions.

Family C — the newest and stealthiest

Family C began on March 13, 2026. It introduces a significantly more robust payload extraction process. The loader embeds a secret that it hashes with SHA-256, performs a byte permutation, then derives an AES key via PBKDF2 HMAC SHA-256 with 20,000 iterations using a salt extracted from the PNG.

Some Family C samples are barely detected. As Exatrack notes, one sample was flagged by only two antivirus engines at the time of writing.

YARA rules and detection

Despite Family C’s low detection rate, Exatrack found broader detection feasible. Researchers wrote YARA rules targeting shared string encryption functions that appear across nearly all PixyNetLoader variants — regardless of family.

Additionally, COM registry persistence keys remain relatively consistent across samples. Companion PNG files show limited variation, making network-based hunting viable.

Tracking APT28 habits beyond PixyNetLoader

The APT28 steganography attack pattern did not stop at PixyNetLoader. By searching for shared binary characteristics — bad checksums, patched timestamps, 64-bit DLL structure, and Microsoft Corporation as the listed company name — Exatrack also identified two other APT28 tools: SlimAgent and Graphite.

This finding suggests APT28 reuses consistent code packaging habits across different malware families. Those habits, while not unique to APT28, provide a useful pivot for threat hunters.

Key takeaway for defenders

The full PixyNetLoader malware analysis took Exatrack approximately six days from start to finish. The result is a practical set of YARA rules, detection queries, and a Python decryption script for Family C payloads. Defenders should monitor for unusual DLL COM registrations, unexpected PNG files in OneDrive cache paths, and outbound connections to the FILEN cloud service.

Family C’s two unused steganography modes suggest further evolution is likely. Security teams should treat this as an active, developing threat — not a closed case.