{
	"id": "f03e7a8b-d922-4b93-a6f9-b47f1d21feb7",
	"created_at": "2026-04-06T00:09:46.289618Z",
	"updated_at": "2026-04-10T03:25:29.664532Z",
	"deleted_at": null,
	"sha1_hash": "ef82b9001333074ae0a86b894bdf28cb776684d1",
	"title": "PNGLoad (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 29214,
	"plain_text": "PNGLoad (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 19:41:59 UTC\r\nPNGLoad\r\nAccording to ESET Research, PNGLoad is a second-stage payload deployed by Worok on compromised systems\r\nand loaded either by CLRLoad or PowHeartBeat. PNGLoad has capabilities to download and execute additional\r\npayloads from a C\u0026C server, which is likely how the attackers have deployed PNGLoad on systems compromised\r\nwith PowHeartBeat. PNGLoad is a loader that uses bytes from PNG files to create a payload to execute. It is a 64-\r\nbit .NET executable - obfuscated with .NET Reactor - that masquerades as legitimate software.\r\nReferences\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.png_load\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.png_load\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.png_load"
	],
	"report_names": [
		"win.png_load"
	],
	"threat_actors": [
		{
			"id": "a7e5d6c0-5f7e-4d1c-87fa-bbf65b4e65b9",
			"created_at": "2022-10-25T16:07:24.42571Z",
			"updated_at": "2026-04-10T02:00:04.984213Z",
			"deleted_at": null,
			"main_name": "Worok",
			"aliases": [],
			"source_name": "ETDA:Worok",
			"tools": [
				"CLRLoad",
				"Mimikatz",
				"NBTscan",
				"PNGLoad",
				"PowHeartBeat",
				"SAMRID",
				"nbtscan",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e294737b-6aa7-480e-841d-cbed102c356c",
			"created_at": "2023-07-20T02:00:08.787855Z",
			"updated_at": "2026-04-10T02:00:03.368575Z",
			"deleted_at": null,
			"main_name": "Worok",
			"aliases": [],
			"source_name": "MISPGALAXY:Worok",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434186,
	"ts_updated_at": 1775791529,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef82b9001333074ae0a86b894bdf28cb776684d1.pdf",
		"text": "https://archive.orkl.eu/ef82b9001333074ae0a86b894bdf28cb776684d1.txt",
		"img": "https://archive.orkl.eu/ef82b9001333074ae0a86b894bdf28cb776684d1.jpg"
	}
}