The use of steganography in the threat landscape continues to accelerate. Threat actors are increasingly shifting from direct encrypted transfers to a 'legitimate-file-plus-hidden-data' model, effectively masking their next-stage payloads within everyday media.
FortiGuard Labs recently uncovered a phishing campaign that abuses environment variables to hide malicious commands and uses PawsRunner as a Steganography Loader to deploy the .NET infostealer PureLogs.[1]
[1] https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography?lctg=141970831
Link to full report: IR-26-138-001_PureLogs.pdf
Comments