Tricks and Treats: New Pixel-Level Deception

SUMMARY :

GHOSTPULSE malware has evolved to embed malicious data within pixel structures of PNG files, replacing its previous IDAT chunk technique. Recent campaigns involve social engineering tactics, tricking victims with CAPTCHA validations that trigger malicious commands through keyboard shortcuts. The malware now parses image pixels to retrieve its configuration and payload, using a CRC32 hash for verification. Elastic Security has updated its YARA rules and configuration extractor tool to detect and analyze both old and new versions. The new approach streamlines deployment to a single compromised executable with the PNG file in its resources section.

OPENCTI LABELS :

social engineering,lumma stealer,captcha,keyboard shortcuts,yara rules,configuration extractor,ghostpulse,pixel-level deception,png files,crc32,gdi+


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Tricks and Treats: New Pixel-Level Deception