Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The report examines how APT28 evolved its PixyNetLoader malware family between 2024 and 2026. The loader is delivered through malicious Office documents exploiting CVE-2026-21509 and installs a COM-registered DLL that extracts a hidden payload from PNG files using LSB steganography. That payload is a Covenant Grunt implant that communicates through the FILEN cloud service. Researchers identified four distinct PixyNetLoader sub-families and created a unified YARA rule to support detection across the variants.
Investigation
Analysts reviewed around 90 malware samples and grouped them into four sub-families based on shared functions and Rich header hash patterns. They found that newer variants introduced in March 2026 added fresh steganography methods, including AES-encrypted headers and PBKDF2-based key derivation. The investigation also documented the relevant file paths, registry keys, and DLL export names used by the malware, and produced YARA signatures for common functionality across the family.
Mitigation
Defenders should monitor for suspicious COM registration of unknown DLLs, the specific CLSID-related registry keys tied to the malware, and deployment of PNG files in known staging locations. Network defenses should also inspect for traffic to the FILEN service and for payload characteristics that match the LSB steganography patterns described in the YARA rules. Organizations should apply the patch for CVE-2026-21509 and limit or disable risky Office macro execution to reduce exposure.
Response
If PixyNetLoader activity is detected, isolate the impacted endpoint, remove the malicious DLL and associated PNG file, and reset any compromised COM registrations. Investigators should collect the extracted Covenant Grunt payload and relevant network logs, then hunt for related APT28 tooling such as SlimAgent or Graphite. Detection content should also be updated and macro restrictions enforced consistently across the environment.
Attack Flow
We are still updating this part. Sign up to get notified
Notify MeDetections
Possible Explorer COM Hijacking (via registry_event)
View
Possible Outlook Based Persistence (via registry_event)
View
Potentially Suspicious Scheduled Task Create, Run, Delete Behavior (via process_creation)
View
Suspicious Taskkill Execution (via cmdline)
View
Possible Search / Search-MS URI Protocol Handler Abuse (via cmdline)
View
Schtasks Points to Suspicious Directory / Binary / Script (via cmdline)
View
LOLBAS Regsvr32 (via cmdline)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via cmdline)
View
Possible Explorer COM Hijacking (via file_event)
View
Possible Outlook Based Persistence (via file_event)
View
Probable Use of Windows Hacktools [Part1] (via file_event)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via dns_query)
View
Suspicious Scheduled Task (via audit)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via proxy)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via dns)
View
IOCs (HashSha256) to detect: Tracking APT28 PixyNetLoader: Evolutions from 2024 to 2026 Part 5
View
IOCs (HashSha256) to detect: Tracking APT28 PixyNetLoader: Evolutions from 2024 to 2026 Part 4
View
IOCs (HashSha256) to detect: Tracking APT28 PixyNetLoader: Evolutions from 2024 to 2026 Part 3
View
IOCs (HashSha256) to detect: Tracking APT28 PixyNetLoader: Evolutions from 2024 to 2026 Part 2
View
IOCs (HashSha256) to detect: Tracking APT28 PixyNetLoader: Evolutions from 2024 to 2026 Part 1
View
IOCs (HashMd5) to detect: Tracking APT28 PixyNetLoader: Evolutions from 2024 to 2026
View
Detect PixyNetLoader Steganography PNG Files [Windows File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An APT28 operator obtains a malicious payload (e.g., a PowerShell back‑door) and embeds it into a PNG using a custom steganography tool. The operator then copies the crafted PNG to one of the known PixyNetLoader drop locations (SplashScreen.png). The file write generates a Windows Security audit event (4663) that matches the Sigma rule, causing an alert. The attacker relies on a living‑off‑the‑land file type (PNG) to blend in with normal user data and avoid endpoint AV signatures. -
Regression Test Script:
# -------------------------------------------------------------- # PixyNetLoader Steganography PNG simulation – triggers detection # -------------------------------------------------------------- # 1. Define the target path (choose one of the three monitored locations) $targetPath = "$env:USERPROFILEMicrosoft OneDrivesetupCacheSplashScreen.png" # 2. Build a minimal PNG header (8 bytes) – in a real attack this would # include the steganographically hidden payload. $pngHeader = [byte[]] (0x89,0x50,0x4E,0x47,0x0D,0x0A,0x1A,0x0A) # 3. Append a dummy payload (e.g., a base64‑encoded PowerShell script) $payload = [Text.Encoding]::ASCII.GetBytes( "UE9TVCAiZXhlYyAiY2F0IC5leHQiIiA+ICJQYXlsb2FkIg==" ) # Base64 of: POST "exec "cat .ext"" > "Payload" $fileBytes = $pngHeader + $payload # 4. Write the crafted PNG to the target location [IO.File]::WriteAllBytes($targetPath, $fileBytes) Write-Host "Malicious PNG deployed to $targetPath" -
Cleanup Commands:
# Remove the malicious PNG to restore the host $targetPath = "$env:USERPROFILEMicrosoft OneDrivesetupCacheSplashScreen.png" if (Test-Path $targetPath) { Remove-Item -Path $targetPath -Force Write-Host "Removed $targetPath" } else { Write-Host "File not found – nothing to clean." }