Stealth Stealer: New .NET Loader Hides LokiBot Payload in BMP/PNG Images Using Advanced Steganography
Ddos 
The Splunk Threat Research Team (STRT) has uncovered a new variant of a .NET steganographic malware loader that hides malicious payloads inside image files and ultimately deploys LokiBot, one of the most persistent credential-stealing trojans in circulation.
In August 2025, Splunk researchers analyzed a .NET loader that used steganography to deliver malware such as Quasar RAT. But while investigating new samples, they discovered a modified version containing an additional evasion module.
As the researchers explain:
“We identified interesting malware samples featuring a modified version of this crypter or steganographic loader.… This variant included an additional module specifically designed to further evade detection and hinder payload extraction.”
This new loader masquerades as a legitimate document—such as a Request for Quotation (RFQ)—to lure victims into opening it.
STRT notes:
“This loader sample… disguises itself as a legitimate business document by using common transaction terms such as ‘Request for Quotation (RFQ)’ to entice users.”
Unlike previous variants that stored malicious image resources directly inside the main .NET binary, the new loader decrypts a separate “container” module at runtime.
According to Splunk:
“It decrypts and loads an additional module… solely as a container, housing two separate modules used by the loader.”
“These stagers are concealed within two image files embedded in the .NET resource metadata.”
The container includes two image files:
- crc.bmp
- IVBD.png
Both files contain hidden stager components encrypted with the same algorithm used in the earlier Quasar RAT loaders.
The STRT states:
“This is a new variant of the steganographic loader.… This variant stores the images within a separate ‘container’ module… only decrypted and loaded at runtime, making it more difficult for static detection tools and automated payload extraction.”
The team attempted to extract the payloads using their PowerShell steganography tool PixDig, but the tool errored out due to incompatible module loading.
After modifying PixDig to force decoding directly on the BMP and PNG files, researchers successfully extracted two stager modules hidden inside the images. A simple decryption script on the second stager finally revealed the ultimate payload: LokiBot.
Once decrypted, STRT confirmed the final-stage malware as LokiBot, one of the world’s most widely distributed information stealers.
LokiBot has existed for over a decade. It targets:
- Browser passwords
- Email clients
- FTP tools
- Password managers
- Cryptocurrency wallets
- Windows credentials
- Application configuration files
STRT highlights the continuing threat:
“The malware author continues to distribute LokiBot using the latest loader… suggesting ongoing activity and updates in the malware’s deployment strategy.”
The Splunk Threat Research Team’s analysis confirms an increasingly sophisticated evolution of steganographic loaders in the malware ecosystem. By hiding code inside image files, decrypting modules at runtime, and layering stagers across multiple file formats, threat actors are making static detection and automated analysis significantly harder.
This new loader variant — and its deployment of LokiBot — demonstrates how attackers are continuing to innovate even with long-established malware families.
Related Posts:
- The original LokiBot malware was hijacked by hackers to sell on the Internet
- CVE-2025-57803: Critical Flaw in ImageMagick Could Lead to Remote Code Execution
- Steganographic Campaign Distributes Multiple Malware Variants, Including Remcos and AsyncRAT
- Splunk Patches Critical Vulnerabilities, Including Remote Code Execution Flaws
Donate