Threat actors are leveraging image steganography hosted on legitimate file-sharing platforms to deliver remote access trojans and information stealers. The attack chain utilizes a JavaScript dropper to extract a Base64-encoded DotNET loader from a seemingly benign image, which then injects the final payload into memory to evade endpoint detection.