APT-C-20 Hides Shellcode in PNG Images for Fileless Espionage Attack
What happened
Researchers at 360 Advanced Threat Research Institute found a stealthy attack campaign attributed to APT-C-20, also known as APT28 or Fancy Bear, using malicious Office documents, COM hijacking, PNG steganography, and fileless payload execution.
The attack begins with a weaponized readme.docm file containing encrypted VBA macros. When opened, the document displays unreadable content and prompts the user to enable macros. Once macros are enabled, the document shows lure content themed around a defense ministry in an Eastern European country while quietly releasing malicious components in the background.
The macro drops two files under %PROGRAMDATA%\Microsoft\DeviceSync\: a malicious DLL named dnxstore.dll and a PNG image named EdgeLogo.png. It then modifies a user-level COM registry key so that when explorer.exe initializes a legitimate COM object, the system loads the malicious DLL. This allows the malware to persist without needing administrator-level access.
The DLL acts as a shellcode loader. It checks whether it is running inside explorer.exe, performs sandbox timing checks, then loads the PNG file that appears to be a normal Microsoft Edge-style image. Using least significant bit steganography, the loader extracts salt, IV, metadata, and an encrypted payload from the image’s pixel data. It then derives an AES-256 key, decrypts the hidden content, and executes the recovered shellcode in memory.
The final payload is an obfuscated C# remote-control trojan that uses the legitimate cloud storage service Filen.io as command-and-control infrastructure. It builds encrypted check-in messages, communicates with Filen gateway nodes, performs a secondary handshake, receives follow-on payloads, and reflectively loads them in memory.
Who is affected
Government agencies, defense-linked organizations, and entities involved in Eastern European geopolitical or military matters are the most likely targets based on the lure content and attribution assessment.
Organizations using Microsoft Office documents in sensitive workflows are also exposed if users can enable macros from untrusted files.
The broader risk applies to enterprises where user-level COM hijacking, suspicious explorer.exe child activity, cloud storage API abuse, and hidden payload execution from image files are not closely monitored.
Why CISOs should care
This campaign shows how advanced actors are combining older intrusion techniques with modern stealth. Macros, COM hijacking, steganography, cloud storage abuse, and reflective loading are each known tactics, but together they create a quiet and resilient attack chain.
For CISOs, the COM hijacking element matters because the persistence occurs at user level and abuses a legitimate Windows process. That can make the activity harder to spot than obvious autoruns or suspicious services.
The PNG steganography technique also complicates detection. The malicious payload is hidden inside what appears to be a normal image file, then decrypted and executed in memory. Traditional scanning that treats images as passive media may miss this stage.
The Filen.io command-and-control channel is another important detail. By using a legitimate cloud storage platform, the malware can blend malicious traffic into normal cloud service activity unless defenders inspect behavior, API usage, and unusual endpoint-to-cloud patterns.
3 practical actions
Harden Office macro controls: Block macros from internet-sourced documents, restrict macro execution to trusted signed files, and review whether users in sensitive teams can enable macros from unknown attachments.
Hunt for COM hijacking and suspicious Explorer loading: Security teams should review user-level COM registry changes, especially under
HKCU\Software\Classes\CLSID, and investigate unexpected DLL loads from%PROGRAMDATA%byexplorer.exe.Monitor image-based payload staging and cloud C2: Defenders should look for PNG files dropped alongside DLLs, hidden shellcode extraction behavior, reflective loading, unusual Filen.io API traffic, and suspicious encrypted check-ins from endpoints that do not normally use that service.
Recent cybersecurity news:


