Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Malware Hidden in Images to Bypass Security

January 17, 2025
Reading Time: 2 mins read
in Alerts
4 Million Systems Exposed to Tunneling Flaws

Cybersecurity researchers have reported that threat actors are using images to conceal malicious code and distribute malware such as the VIP Keylogger and 0bj3ctivity Stealer. In two separate campaigns, attackers uploaded these images to archive[.]org, a file-hosting website, and employed the same .NET loader to execute their payloads. The initial attack vector starts with a phishing email masquerading as invoices or purchase orders, tricking recipients into opening malicious attachments like Microsoft Excel files. These attachments exploit a known vulnerability in Equation Editor (CVE-2017-11882) to download a VBScript file.

Once opened, the VBScript decodes and executes a PowerShell script that retrieves an image from archive[.]org. The Base64-encoded code embedded in the image is then decoded into a .NET executable and run. This executable serves as a loader, downloading and running the VIP Keylogger from a remote URL. The keylogger is capable of stealing various types of sensitive information, including keystrokes, clipboard content, screenshots, and credentials, with similar functionality to other well-known keyloggers like Snake and 404 Keylogger.

In the second campaign, attackers sent malicious archive files disguised as quotation requests.

In the second campaign, attackers sent malicious archive files disguised as quotation requests. These emails contained a JavaScript file that, when opened, triggered a PowerShell script. Similar to the first campaign, the script fetched an image, extracted and decoded Base64-encoded code, and executed the same .NET loader. The difference in this campaign is that it deployed the 0bj3ctivity information stealer, highlighting the actors’ use of different malware tools in successive attacks.

HP Wolf Security’s report also highlighted the growing trend of cybercriminals using malware kits to streamline their operations and reduce the level of technical expertise required. This includes the use of GenAI to create varied attack chains and improve their efficiency. Additionally, threat actors are leveraging platforms like GitHub to distribute malware such as Lumma Stealer through seemingly innocent video game cheat repositories. The increasing commodification of cybercrime has made it easier for even novice hackers to execute complex attacks.

Reference:
  • Malicious Code Concealed in Images to Deliver Keyloggers and Stealers
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityJanuary 2025
ADVERTISEMENT

Related Posts

Fake PyPI Login Site Steals Credentials

Fake PyPI Login Site Steals Credentials

September 26, 2025
Fake PyPI Login Site Steals Credentials

Google Warns of BRICKSTORM Malware

September 26, 2025
Fake PyPI Login Site Steals Credentials

Hidden WordPress Backdoors Create Admins

September 26, 2025
BadIIS Malware Spreads Via SEO Poisoning

Hackers Target AWS and Steal Credentials

September 24, 2025
BadIIS Malware Spreads Via SEO Poisoning

SonicWall SMA100 Update Removes Rootkit

September 24, 2025
BadIIS Malware Spreads Via SEO Poisoning

BadIIS Malware Spreads Via SEO Poisoning

September 24, 2025

Latest Alerts

Fake PyPI Login Site Steals Credentials

Google Warns of BRICKSTORM Malware

Hidden WordPress Backdoors Create Admins

Hackers Target AWS and Steal Credentials

SonicWall SMA100 Update Removes Rootkit

BadIIS Malware Spreads Via SEO Poisoning

Subscribe to our newsletter

    Latest Incidents

    Indian Bank Transfer Records Exposed

    Chinese Cyberspies Hit US Defense Firms

    Neon App Shuts Down After Data Leak

    Boyd Gaming Reports Data Breach After Attack

    Morrisroe UK Company Hit By Cyber Attack

    GeoServer Flaw Breaches US Agency Network

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial