Remote Access Trojans (RATs) and Trojan Stealers continue to dominate the threat landscape as some of the most prevalent malware families.
To evade detection on compromised systems, these threats increasingly employ sophisticated crypters, loaders, and steganographic techniques that disguise malicious code within seemingly benign file formats such as images.
Building on their August 2025 analysis of a .NET loader that used steganography to deliver the Quasar RAT, the Splunk Threat Research Team (STRT) has identified an evolved variant of this loader.
This updated version includes an additional module specifically designed to evade detection and complicate payload extraction, representing a significant advancement over the previously documented variant.
The malicious loader disguises itself as legitimate business correspondence, using common transaction terminology like “Request for Quotation (RFQ)” to entice victims into decompressing and opening infected files.
Through YARA rule development, STRT identified multiple malware samples utilizing this deceptive loader mechanism.
Unlike earlier versions that embedded malicious images directly into the .NET resource metadata, this variant employs a more sophisticated approach.
The loader decrypts and loads an additional module directly into allocated memory space, functioning as a container that houses two separate modules.
These stager components remain concealed within two image files embedded in the .NET resource metadata, specifically a BMP file and a PNG file.
This architectural change significantly complicates detection efforts. The container module is only decrypted and loaded at runtime, making it substantially more difficult for static analysis tools and automated payload extraction systems to identify the threat without first decrypting the container module.
Lokibot Payload Delivery
The final payload delivered by this steganographic loader is Lokibot, a notorious information-stealer first advertised on underground forums in 2015.
Following its source code leak in 2018 and low acquisition cost, Lokibot became widely accessible to cybercriminals.
PixDig, developed previously, to extract the hidden payload in those images from the decrypted DLL module loaded by this malicious loader.
The malware primarily targets Windows systems, harvesting browser and application credentials, cryptocurrency wallets, keystrokes, and can provision backdoors for additional payloads.
Analysis of the loader’s PE file timestamp reveals that threat actors continue actively distributing Lokibot using this latest loader variant, despite some samples originating from older build versions.
This indicates ongoing development and updates in the malware’s deployment strategy.
The extracted Lokibot payload demonstrates extensive data collection capabilities, targeting numerous applications across multiple categories.
The malware systematically harvests credentials from popular browsers including Firefox, Opera, and Chrome variants, FTP clients like FileZilla and WinSCP, email clients such as Thunderbird and Outlook, and password managers including KeePass and Roboform.
Lokibot employs multiple MITRE ATT&CK techniques including time-based evasion, system information discovery, process injection into lsass.exe and vbc.exe processes, access token manipulation to enable SeDebugPrivilege, and scheduled task creation for persistence.
The malware also accesses Outlook profile information stored in Windows registry entries to extract email credentials and configuration data.
The Splunk Threat Research Team has developed comprehensive detection coverage for this malware family, creating 26 Splunk detections addressing all extracted MITRE ATT&CK tactics and techniques.
Key detections include monitoring for scheduled tasks created via XML, executable or script creation in suspicious paths, executable files loaded as modules, and unusual DNS queries from vbc.exe, which usually operates locally without requiring internet access.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.