ThreatCluster

APT-C-20 Uses Steganography to Deploy Fileless C# Backdoor

First seen 9 Jul 2026, 00:48 UTC GbhackersCybersecuritynews 76% similarity 76

Article Content

Browse articles
ThreatCluster

APT-C-20, also known as Fancy Bear or APT28, has launched a new intrusion campaign utilizing advanced techniques to evade detection. The group employs LSB steganography to hide shellcode within PNG images, allowing them to execute a fileless C# remote-control Trojan. This method leverages weaponized Office documents that deploy a COM-hijacking DLL to facilitate the attack. The backdoor communicates through legitimate cloud storage services, enhancing its stealth. The campaign reflects the group's ongoing evolution in cyber tactics, focusing on stealth and evasion. Organizations using vulnerable Office applications and cloud storage services are at risk. The full scope of the impact is still being assessed as the campaign is ongoing.

Key Points: • APT-C-20 uses LSB steganography to hide malicious code in PNG images. • The attack employs a fileless C# backdoor that avoids traditional malware detection. • Organizations using vulnerable Office documents and cloud services are at risk.

ThreatCluster AI

Timeline

2026-07-08
APT-C-20 campaign reported
APT-C-20's new intrusion campaign was detailed, highlighting their use of steganography and fileless techniques.
Gbhackers
2026-07-08
Shellcode hidden in PNG images
The group was reported to be hiding shellcode in PNG images to launch a C# backdoor, evading security measures.
Cybersecuritynews

Community

Browse all →