Threat actors have been observed concealing malicious code in images to deliver malware, such as VIP Keylogger and 0bj3ctivity Stealer, as part of separate campaigns. In both campaigns, attackers hid malicious code in photos uploaded to archive[.]org, a file-hosting website, and used the same .NET loader to install their final payloads. The starting point is a phishing email that masquerades as invoices and purchase orders to trick recipients into opening malicious attachments, such as Microsoft
