Threat actors embed malware like VIP Keylogger in images via phishing emails and Base64 encoding, leveraging .NET loaders and GenAI-written scripts to

In both campaigns, attackers hid malicious code in images they uploaded to archive[.]org, a file-hosting website, and used the same .NET loader to install their final payloads