Hello and welcome to the Monday, June 2nd, 2025 edition of the Sands Inlet Storm Center's Stormcast.

My name is Johannes Ulrich and this episode brought you by the Sands.edu graduate certificate program in penetration testing and ethical hacking is recorded in Jacksonville, Florida.

Well, and in Diaries, we do have yet more fun with images from Xavier.

Xavier came across a PNG image that included malware.

Now, this one didn't use out of the steganography.

We have talked about a lot in the last couple of weeks.

Instead, it used sort of a simpler form

where the malicious code is just being appended to the image.

With P&G images, there is an end marker,

any data after the end marker is ignored,

meaning that if you display the image in a normal image viewer,

well, all will look fine because the script in the end is just ignored.

But as Xavier points out, the script or that data in the end is really just a little zip archive

that then unpacks into a Python script.

Now, one trick they're sort of doing here is that they are replacing the desktop wallpaper

with their own sort of little wallpaper.

Now, I consider this a little bit more proof of concept than actual malware, in part,

because, well, it's just of a very simple,

straightforward basic remote admin tool. Also, this particular wallpaper sounds more like

something that's sort of being done to indicate, hey, this is sort of something that could

be exploited rather than the exploit itself.

Regardless, virus total detection for this image is very low, indicating that, well, there aren't really a lot of antivirus products that are, for example, looking for code being appended to an image like this, which should really always be considered malicious.

...