SYMBOLCOMMON_NAMEaka. SYNONYMS
win.png_load (Back to overview)

PNGLoad

According to ESET Research, PNGLoad is a second-stage payload deployed by Worok on compromised systems and loaded either by CLRLoad or PowHeartBeat. PNGLoad has capabilities to download and execute additional payloads from a C&C server, which is likely how the attackers have deployed PNGLoad on systems compromised with PowHeartBeat. PNGLoad is a loader that uses bytes from PNG files to create a payload to execute. It is a 64-bit .NET executable - obfuscated with .NET Reactor - that masquerades as legitimate software.

References
2022-09-06ESET ResearchThibaut Passilly
Worok: The big picture
MimiKatz PNGLoad reGeorg ShadowPad Worok

There is no Yara-Signature yet.