Keypoints
- GHOSTPULSE now stores its encrypted configuration and payload inside image pixels rather than in PNG IDAT chunks.
- Recent campaigns use social engineering—such as fake CAPTCHA flows that instruct victims to run Windows keyboard shortcuts—to execute malicious commands via the clipboard.
- The infection chain involves malicious JavaScript copying a PowerShell command to the clipboard, which victims inadvertently run, leading to payload download and execution.
- Deployment has been simplified: the latest GHOSTPULSE is packaged as a single compromised executable that embeds the PNG in its resources.
- Elastic Security updated its YARA rules and configuration-extractor tool to detect and extract configurations from both old and new GHOSTPULSE variants.
- Observed campaigns often pair GHOSTPULSE with LUMMA STEALER, and multiple C2 domains and sample hashes were identified and published.
MITRE Techniques
- [T1059.001] PowerShell – Execution via PowerShell is initiated when malicious JavaScript copies a command to the clipboard and the victim runs Windows shortcuts that execute the script. [‘Malicious JavaScript triggers a PowerShell script execution.’]
- [T1027] Obfuscated Files or Information – GHOSTPULSE hides its configuration and payload by embedding encrypted data inside image pixels, making detection harder. [‘Malware embeds its payload within image pixels to evade detection.’]
- [T1071] Application Layer Protocol – Attackers use social-engineering-driven commands to download and execute payloads and to communicate with C2 infrastructure. [‘Utilizes social engineering to execute commands remotely.’]
Indicators of Compromise
- [SHA-256] GHOSTPULSE sample – 57ebf79c384366162cb0f13de0de4fc1300ebb733584e2d8887505f22f877077 (Setup.exe), b54d9db283e6c958697bfc4f97a5dd0ba585bc1d05267569264a2d700f0799ae (Setup_light.exe)
- [domain-name] Infrastructure and C2 – winrar01.b-cdn[.]net (hosting GHOSTPULSE sample), reinforcenh[.]shop (LUMMASTEALER C2), and 9 more .shop C2 domains
Since its initial disclosure in 2023, the GHOSTPULSE family—also referred to as HIJACKLOADER or IDATLOADER—has continued to evolve, adopting increasingly sophisticated methods to hide its data and avoid detection. Early variants relied on abusing the IDAT chunk within PNG files to store an encrypted payload sequentially in file chunks. Analysts discovered that GHOSTPULSE would scan for the IDAT marker, verify a following 4-byte tag, and collect the encrypted blob across multiple occurrences until the complete payload was reconstructed.
Recent analysis reveals a notable shift: the malware now embeds its encrypted configuration and payload directly into the image’s pixel data. Using standard Windows GDI+ APIs, the malware reads pixels and appends each pixel’s RED, GREEN, and BLUE values into a byte array. It then examines that array in 16-byte blocks where the first four bytes represent a CRC32 hash and the next 12 bytes contain data to be hashed. By computing the CRC32 over the 12-byte segment and comparing it to the provided hash, GHOSTPULSE can locate the offset and size of its encrypted configuration as well as the 4-byte XOR key required for decryption; the configuration is then XOR-decrypted to retrieve instructions and the payload.
The infection chain observed in recent campaigns pairs GHOSTPULSE with LUMMA STEALER and leverages creative social engineering to persuade victims to execute commands. Victims are typically directed through a fake CAPTCHA flow that, instead of completing a normal validation, instructs them to perform a series of Windows keyboard shortcuts. Malicious JavaScript on the page copies a PowerShell command to the clipboard, and when the user follows the shortcuts the command runs, launching a PowerShell script that downloads and executes the GHOSTPULSE payload. This technique effectively uses user interaction to bypass some automated protections.
Deployment has been simplified in the newest variant: where earlier iterations required a multi-file package—a benign executable, a loaded malicious DLL, and an external PNG—the updated GHOSTPULSE consolidates everything into a single compromised executable. That executable contains the PNG within its resources, streamlining delivery and execution on the target host.
In response to these changes, Elastic Security updated its tooling. The configuration extractor was enhanced to parse both IDAT-based and pixel-based PNG encodings and can output embedded payloads when given a PNG file. Elastic also revised and extended its YARA detection rules to identify signatures from both the original and updated GHOSTPULSE stages; the original rule remains effective at blocking the final stage of infection and is incorporated into Elastic Defend, with new rules slated for inclusion in a future release.
Technical defenders should note the parsing logic changes—specifically the GDI+ pixel reads and the CRC32-driven 16-byte block scanning routine—as these are central to reliably extracting and analyzing the encrypted configuration. Elastic published example YARA rules and the updated extractor in its labs-releases repository to assist researchers and incident responders in identifying and dissecting both legacy and current GHOSTPULSE samples.
All observables referenced in the research are available for download in ECS and STIX formats. Published IOCs include multiple SHA-256 hashes tied to sample filenames (e.g., Setup.exe and Setup_light.exe) as well as several domains used for hosting and command-and-control by LUMMA STEALER operators. Monitoring for the updated indicators and employing the revised extraction and detection tools can help mitigate these evolving loader techniques.
As GHOSTPULSE demonstrates, attackers iterate rapidly, combining novel data-hiding strategies with human-focused trickery. Continued collaboration between researchers and defenders, along with updated detection rules and analysis utilities, remains essential to stay ahead of such threats.
Read more: https://www.elastic.co/security-labs/tricks-and-treats