GhostPulse Hides DeerStealer in 752 Headless IDAT Chunks: PNG Steganography Without a PNG, DLL Sideloading via iMyFone, and a $3,000/Month MaaS Empire
TL;DR: A fresh DeerStealer infostealer sample (first seen March 10, 2026, origin Sweden) arrives as a 12.6MB MSI installer built with WiX Toolset 4.0.0.0 under the absurd fake identity "Marlinespike by Luckie Lustrum." The MSI deploys a trojanized iMyFone Feedback tool via DLL sideloading, which loads the GhostPulse/IDAT loader from a swapped Qt5Network.dll. The loader's payload container -- cachedrv.xml -- is a 6.18MB file stuffed with 752 PNG IDAT chunks at near-maximum entropy (7.93), but with no valid PNG header. No IHDR, no magic bytes, just raw encrypted IDAT data hiding behind a 16KB wall of randomized ASCII text. The encrypted C2 configuration lives in a separate file, servicetable68.cfg, similarly concealed under a text cover. DeerStealer itself is a Malware-as-a-Service platform with subscription tiers ranging from $200/month for basic credential theft to $3,000/month for the full suite with hidden VNC, clipper, keylogger, and SmartScreen bypass. The MSI was built six days before submission, pointing to active, ongoing campaigns.
A 12.6 Megabyte MSI That Wants You to Believe It Is a Feedback Tool
The sample arrived on MalwareBazaar on March 10, 2026, uploaded from Sweden. The file is RVJVAUQL.msi -- a filename that base64-decodes to partial garbage bytes, strongly suggesting auto-generation rather than any meaningful encoding. At 12.6MB it is suspiciously large for a simple installer, and the reason becomes clear once you crack it open: the MSI bundles a full Qt5 runtime (Qt5Core, Qt5Gui, Qt5Widgets, Qt5Network, Qt5Xml -- roughly 18MB of legitimate DLLs) plus a 6MB encrypted payload blob. The legitimate DLLs exist for one purpose: to make the sideloading target, Utils.exe, run without complaint.
The MSI metadata tells its own story. The product name is "Marlinespike" and the author is "Luckie Lustrum" -- names that read like they were pulled from a random word generator, because they almost certainly were. The build tool is WiX Toolset 4.0.0.0, a consistent fingerprint across DeerStealer campaigns. The compilation timestamp is March 4, 2026, 13:22:36 UTC -- six days before the sample appeared in the wild.
| Field | Value |
|---|---|
| Product Name | Marlinespike |
| Author | Luckie Lustrum |
| Product Code | {820EDDEB-A184-45B2-839B-D1ADAF814D0E} |
| Upgrade Code | {C8711721-CD47-4F81-AC30-45638AF6C8CB} |
| Version | 1.6.7.0 |
| Build Tool | WiX Toolset 4.0.0.0 |
| Created | 2026-03-04 13:22:36 UTC |
| Install Directory | %LOCALAPPDATA%\Coz |
The Sideloading Chain: A Legitimate Binary, an Expired Certificate, and One Trojanized DLL
The attack abuses Utils.exe, which is the legitimate iMyFone Feedback tool (internal name: Feedback.exe v2.0.4.0). This binary was compiled on May 10, 2021, and carries an Extended Validation code signing certificate issued by DigiCert to Shenzhen iMyFone Technology Co., Ltd. The certificate expired in July 2023, but the signature still validates against the original binary -- and many security products treat EV-signed binaries more favorably regardless of expiration status.
When Utils.exe launches, it imports from Qt5Network.dll as part of its normal Qt5 networking stack. The threat actor replaced this one DLL with a trojanized version containing the GhostPulse loader. The trojanized Qt5Network.dll maintains the full original export table -- all 1,240 exported functions -- so the legitimate binary never notices the swap. Inside the DLL, GhostPulse activates during DllMain on DLL_PROCESS_ATTACH, reads the two config/payload files from disk, and begins the decryption and injection chain.
The trojanized DLL is distinguishable through its imports: LoadLibraryW, GetProcAddress, CreateFileW, and the telltale IsDebuggerPresent -- none of which belong in a legitimate Qt networking library.
| Binary | SHA-256 | Notes |
|---|---|---|
| Utils.exe (legitimate) | 7c7208fb...d839ad2a0 | EV-signed iMyFone Feedback.exe, compiled 2021 |
| Qt5Network.dll (TROJANIZED) | 73d2b832...9cd5e130 | GhostPulse loader, 1,240 exports maintained |
| cachedrv.xml (payload) | fdbc169b...a654ad2ae | 6.18MB, 752 IDAT chunks, entropy 7.93 |
| servicetable68.cfg (config) | 3d8f0ef4...b58028bd | 34KB, 25KB text cover + 8.3KB encrypted blob |
Attack Chain
[Victim downloads RVJVAUQL.msi]
|
v
[MSI executes via msiexec.exe]
|
v
[Files extracted to %LOCALAPPDATA%\Coz\]
- Utils.exe .............. legitimate iMyFone Feedback (EV-signed, expired cert)
- Qt5Core/Gui/Widgets/Xml .. legitimate Qt 5.6.3 runtime
- MSVCP120/MSVCR120 ....... legitimate MSVC 12.0 runtime
- Qt5Network.dll .......... TROJANIZED -- GhostPulse loader
- cachedrv.xml ............ 6.18MB encrypted payload (752 IDAT chunks)
- servicetable68.cfg ...... 34KB encrypted config (C2 addresses + XOR key)
|
v
[CustomAction "LaunchFile" executes Utils.exe]
|
v
[Utils.exe loads Qt5Network.dll via DLL sideloading]
|
v
[GhostPulse activates in DllMain]
- Parses cachedrv.xml: extracts IDAT chunk data
- Parses servicetable68.cfg: extracts encrypted config blob
- Decrypts payload using XOR key from config
- Injects into legitimate process
|
v
[DeerStealer executes in memory]
- 800+ browser extensions targeted
- 50+ browsers harvested
- 14+ crypto wallet types clipped
- Hidden VNC / keylogger (premium tiers)
- Exfiltration via HTTPS to encrypted C2
752 IDAT Chunks and No PNG Header: GhostPulse's Steganography Without the Stego
This is where the sample gets genuinely interesting. GhostPulse has been documented by Elastic Security Labs as using pixel-level PNG steganography -- constructing a byte array from RGB values, scanning for CRC32 markers, and extracting the payload offset and XOR key. That technique requires a valid PNG file with an IHDR chunk so the image dimensions are known and GDI+ can parse the pixel data.
This sample does not do that.
The payload container cachedrv.xml begins with 16,462 bytes of randomized ASCII text -- gibberish that reads like English syllables mashed together. This text cover exists solely to defeat content-based detection. After the text, 752 IDAT chunks begin at offset 0x404E and continue for over 6 million bytes. Each chunk follows the standard PNG chunk format: 4-byte big-endian length, the ASCII literal IDAT, 8,192 bytes of data, and a 4-byte CRC. The file ends with a proper IEND chunk.
But there is no PNG signature (89 50 4E 47). No IHDR chunk. No image dimensions, color type, or bit depth. This is not a valid PNG file by any standard. The loader does not render an image and read pixels -- it parses the IDAT chunk stream directly, treating it as a raw encrypted data container that happens to use the IDAT framing format.
cachedrv.xml structure:
Offset 0x0000 - 0x404D: Random ASCII text cover (16,462 bytes)
Purpose: evade content-based detection
Offset 0x404E - 0x5E5FCA: 752 IDAT chunks
Each: [4B length BE][IDAT][8,192B data][4B CRC]
Total payload: 6,159,416 bytes
Entropy: 7.93 / 8.0 (encrypted)
NO PNG header. NO IHDR chunk.
Offset 0x5E5FCA - 0x5E5FD2: IEND chunk (8 bytes)
The entropy of 7.93 out of 8.0 confirms the payload data is encrypted or compressed to near-theoretical maximum randomness. Static decryption without the key from the config file is not feasible.
The Config File: servicetable68.cfg
The configuration blob follows the same concealment pattern. The first 25,646 bytes of servicetable68.cfg are randomized ASCII text cover. At offset 0x642F, a start marker byte (0x80) signals the beginning of the actual data. The next three bytes encode the config size in little-endian format: 8,320 bytes.
The encrypted config blob that follows contains the C2 addresses and the XOR decryption key needed to unlock the IDAT payload. The top byte frequencies in the encrypted blob (0xDF at 327 occurrences, 0xBB at 317, 0xD7 at 272, 0xD1 at 246) show a distribution that is not uniform but also not plaintext -- consistent with a relatively simple cipher applied to structured data.
servicetable68.cfg structure:
Offset 0x0000 - 0x642E: Random ASCII text cover (25,646 bytes)
Offset 0x642F: Config start marker (0x80)
Offset 0x6430 - 0x6432: Size field (0x20 0x00 0x00 = 8,320 bytes LE)
Offset 0x6433 - End: Encrypted config blob (8,324 bytes)
Contains: C2 addresses, XOR key for IDAT payload
Without dynamic analysis (sandboxing), the multi-layer encryption in both files prevented full static extraction of the DeerStealer payload and its C2 configuration during this investigation.
DeerStealer: A Full-Service MaaS Empire
DeerStealer is not a single tool -- it is a subscription-based Malware-as-a-Service platform with tiered pricing, team management, and feature gating. Public threat intelligence from eSentire, CYFIRMA, and ANY.RUN has mapped the following pricing structure:
| Tier | Monthly Cost | Features |
|---|---|---|
| Premium | $200 | Basic stealer, 20-user team management |
| Thief | $450 | Defender bypass, HTML ClickFix delivery |
| Thief+ | $1,500 | Hidden VNC (30 FPS), clipper, keylogger |
| Professional | $3,000 | SmartScreen bypass, full functionality |
The capability set is comprehensive:
Data Theft -- Cookies, passwords, autofill, and credit cards from 50+ browsers. 800+ browser extensions targeted, covering crypto wallets, password managers, and 2FA apps. Desktop cryptocurrency wallets (Exodus, Atomic, Coinomi, Bitcoin Core, Electrum) and USB wallets. Clipboard hijacking for 14+ cryptocurrency address types. FTP/VPN client credentials, Discord and Telegram tokens, Office documents, and OneDrive contents.
Remote Access (Premium Tiers) -- Hidden VNC at up to 30 frames per second for real-time remote control. Live keylogging. Remote process management and command execution.
Evasion -- Control flow obfuscation using assembly junk operations. Per-sample string encryption via jump-table virtual machines. Anti-debugging via IsDebuggerPresent and timing checks. A proxy system called "Gasket" for IP obfuscation on C2 traffic.
Persistence -- Scheduled tasks named zceWriter, dyApp, and Pluginsecurity_dbg. Rootkit-like process injection and file hiding from user-mode tools.
What This Sample Adds to the Picture
Prior public reporting on DeerStealer + GhostPulse documented different sideloading targets and payload containers. This sample represents a distinct campaign with its own operational fingerprint:
| Aspect | Prior Reporting | This Sample |
|---|---|---|
| Sideloading target | COMODO EngineX_Co64.exe | iMyFone Feedback.exe (Utils.exe) |
| Trojanized DLL | cmdres.dll | Qt5Network.dll |
| Payload format | Various | IDAT chunks in fake XML (cachedrv.xml) |
| Config format | Not documented | Encrypted blob in servicetable68.cfg |
| GhostPulse variant | Pixel-level (Elastic) | IDAT-based without PNG header |
| Build tool | Various | WiX Toolset 4.0.0.0 |
| Build date | Various | 2026-03-04 (6 days pre-submission) |
| MSI metadata | Various | "Marlinespike" by "Luckie Lustrum" |
The shift from pixel-level steganography to headerless IDAT parsing is notable. By dropping the PNG header entirely, the loader avoids triggering any detection that keys on PNG magic bytes or attempts to render the file as an image. The IDAT framing is retained purely as a data chunking mechanism -- a container format borrowed from PNG but stripped of everything that makes it a valid image.
Indicators of Compromise
File Indicators
# MSI Installer (RVJVAUQL.msi)
SHA-256: ee5e941218bcf1285b2640c4b2f8baf3ffa44a73b6894ce871a22cbc24b80600
MD5: 2e778fac021722f40ec5664aafcb1fc5
SHA-1: 84573542d266c0f7632e86ca065e35a93e623ea0
TLSH: T168D6331F35674B16FCE3A374271981624FA52C33A311F6FE682BFA542DB17ECA961201
# Utils.exe (legitimate sideloading target)
SHA-256: 7c7208fb37d889fbba299cee11677c7e6b1b4347eb01fde46ebb82dc839ad2a0
Imphash: 9c6723d5273a5682705ef71b66b7949b
# Qt5Network.dll (TROJANIZED -- GhostPulse loader)
SHA-256: 73d2b832d07ab4f6f893f915ca35a43359250c659900357642c6af1f9cd5e130
# cachedrv.xml (encrypted GhostPulse payload)
SHA-256: fdbc169b439b430b7c4688ec3bc56de604d1eaaed66a7c919225981a654ad2ae
# servicetable68.cfg (encrypted GhostPulse config)
SHA-256: 3d8f0ef413fec6f85e335ca089da1f67439dbe1c8f5c01fc001b5c03b58028bd
Network Indicators (from prior DeerStealer reporting)
# DeerStealer C2 domains
telluricaphelion[.]com -> 104[.]21[.]112[.]1
loadinnnhr[.]today -> 103[.]246[.]144[.]118
nacreousoculus[.]pro -> 172[.]67[.]195[.]171
# GhostPulse distribution infrastructure (Elastic Security Labs)
winrar01[.]b-cdn[.]net
reinforcenh[.]shop
stogeneratmns[.]shop
fragnantbui[.]shop
drawzhotdog[.]shop
vozmeatillu[.]shop
offensivedzvju[.]shop
ghostreedmnu[.]shop
gutterydhowi[.]shop
riderratttinow[.]shop
Behavioral Indicators
# Installation directory
%LOCALAPPDATA%\Coz\
# Payload files (on disk)
cachedrv.xml
servicetable68.cfg
# MSI metadata (campaign identifiers)
Product Name: Marlinespike
Author: Luckie Lustrum
ProductCode: {820EDDEB-A184-45B2-839B-D1ADAF814D0E}
UpgradeCode: {C8711721-CD47-4F81-AC30-45638AF6C8CB}
# Scheduled tasks (DeerStealer persistence)
zceWriter
dyApp
Pluginsecurity_dbg
# Working directory
C:\ProgramData\DebugdebugIRG_debug\
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Initial Access | Phishing / Drive-by | T1566 / T1189 | MSI delivered via ClickFix or fake download page |
| Execution | User Execution: Malicious File | T1204.002 | Victim executes MSI installer |
| Execution | Windows Installer | T1218.007 | MSI deploys payload via msiexec |
| Persistence | Scheduled Task/Job | T1053.005 | zceWriter, dyApp, Pluginsecurity_dbg |
| Defense Evasion | DLL Side-Loading | T1574.002 | Utils.exe loads trojanized Qt5Network.dll |
| Defense Evasion | Masquerading | T1036.005 | Legitimate iMyFone binary with valid (expired) EV cert |
| Defense Evasion | Obfuscated Files or Information | T1027 | Encrypted payload in fake XML with IDAT chunks |
| Defense Evasion | Steganography | T1027.003 | Payload hidden in PNG IDAT chunk data stream |
| Defense Evasion | Debugger Evasion | T1622 | IsDebuggerPresent checks in trojanized DLL |
| Credential Access | Credentials from Password Stores: Web Browsers | T1555.003 | Browser credential theft (50+ browsers) |
| Credential Access | Steal Web Session Cookie | T1539 | Browser cookie exfiltration |
| Collection | Clipboard Data | T1115 | Cryptocurrency address replacement (14+ types) |
| Collection | Input Capture: Keylogging | T1056.001 | Live keystroke capture (premium tier) |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | HTTPS exfiltration of stolen data |
| Command and Control | Encrypted Channel | T1573 | HTTPS C2 communication |
| Command and Control | Proxy | T1090 | Gasket proxy system for IP obfuscation |
Recommended Actions
Immediate (24-48 hours)
- Block the SHA-256 hashes listed above at endpoint protection and email gateway
- Hunt for
%LOCALAPPDATA%\Coz\directory across all endpoints - Search for scheduled tasks:
zceWriter,dyApp,Pluginsecurity_dbg - Block known DeerStealer C2 domains at DNS and web proxy level
- Alert on MSI installations containing both
Qt5Network.dllandcachedrv.xmlin the same package
Short-term (1-2 weeks)
- Deploy YARA rules targeting GhostPulse IDAT loader patterns (IDAT chunk sequences without PNG headers)
- Monitor for DLL sideloading of Qt5-based applications launched from user-writable directories (
%LOCALAPPDATA%,%TEMP%,Downloads) - Review endpoint telemetry for
msiexec.exeexecuting MSI files from user download locations - Hunt for process injection originating from Qt5-based applications
- Alert on files containing IDAT chunk sequences without preceding PNG magic bytes (
89 50 4E 47)
Medium-term (1-3 months)
- Implement application whitelisting for Qt5 DLLs -- legitimate Qt applications should load these from known, non-user-writable paths
- Block execution of signed binaries with expired certificates from non-standard paths
- Deploy behavioral detection for IDAT chunk parsing outside of legitimate image viewers and browsers
- Monitor Certificate Transparency logs for domains matching DeerStealer naming patterns
- Review MSI installer policies: consider blocking MSI execution from user download directories without admin approval
References
- Elastic Security Labs: "Tricks and Treats: GHOSTPULSE new pixel-level deception" (2024)
- eSentire TRU: "Dont Get Caught in the Headlights -- DeerStealer Analysis" (2025)
- CYFIRMA: "DeerStealer Malware Campaign: Stealth, Persistence, and Rootkit-Like Capabilities" (2024)
- Baglai, V.: "HijackLoader/GhostPulse/IDAT Loader Comprehensive Analysis" (Medium)
- MalwareBazaar: ee5e941218bcf1285b2640c4b2f8baf3ffa44a73b6894ce871a22cbc24b80600
- CAPE Sandbox: Analysis 56907
Published by Breakglass Intelligence. Investigation conducted 2026-03-10. 752 IDAT chunks parsed. Zero valid PNG headers found. One trojanized DLL. Four MaaS subscription tiers mapped. Classification: TLP:CLEAR