Ghostpulse Continues to Evolve, Creating PNG Malware Threats  

security researchers warn about the latest evolution of the malware variant, by manipulating a PNG malware image file to conceal the virus.  

The switch observed by Elastic Security Labs is a major shift for cybercriminals since Ghostpulse malware’s emergence in 2023, as security researchers warn about the latest evolution of the malware variant, where it now delivers its payload by manipulating a PNG malware image file to conceal the virus.  

The Malware PNG file is threatening the ongoing efforts in developing strong security measures, making it almost impossible to get rid of malware attacks. 

How Can a PNG contain malware?  

Ghostpulse has been notorious as a loader for more dangerous malware, such as the powerful Lumma infostealer. The latest version employs a new, advanced method constructing a byte array by extracting popping red, green, and blue color values from image pixels.  

The new method that utilizes standardized APIs from the Windows GdiPlus library, giving the Ghostpulse malware the ultimate power to stealthily infiltrate by feeding malicious data directly within the image structure for more capability and less detection.  

Salim Bitam of Elastic Security Labs explains that “the malware searches for the presence of an encrypted Ghostpulse configuration in the pixel data by processing it in 16-byte blocks, and through the computation of CRC32 hashes, it is able to find the needed data in order to decrypt it, including the XOR key.” 

Ghostpulse also puts into practice some brilliant social engineering tactics to trick victims into subconsciously downloading the malware in PNG files.  

Attackers The PNG malware attackers follow a smart tactic and manipulate users in visiting compromised websites with some excuse over a routine CAPTCHA verification. Instead of requesting them to choose all images containing certain features, it will ask the victim to enter specific keyboard hotkeys, which automatically copy malicious JavaScript to the clipboard. A script then runs a PowerShell command, which invokes the Ghostpulse payload. 

Fighting Against Cyberthreats  

The ongoing evolution of Ghostpulse PNG malware makes a case for the need for heightened cybersecurity measures. Elastic Security Labs suggests that organizations can neutralize this new threat by bringing into play the updated YARA rules released last year.  

Given how cybercrime threats remain inventive with different types of malware PNG, security researchers have also downplayed satisfaction among defenders against new malware methods. 

All in all, the manifestation of the Ghostpulse malware family mirrors a troubling trend in the dynamics of cyber threats. For every advancement made in security, attackers quickly resolve to different ways to adapt their techniques, creating a never-ending vicious cycle in the cybersecurity landscape where defensive measures and malicious digital creations are in a constant race to outpace each other. 


Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Intelligent Tech sections to stay informed and up-to-date with our daily articles.