Doctor, where did you get these pictures? Using steganography in a cryptocurrency mining campaign.

Doctor Web analyzes an active Monero-mining campaign (observed since 2022) that distributes SilentCryptoMiner and related modules via multi-stage chains including a .NET loader, VBScript/PowerShell downloaders, and a steganography-based delivery that extracts executables from BMP images hosted on legitimate services; the campaign also deploys a .NET stealer, disables UAC/Windows Defender, uses DNS TXT and GitHub for payload delivery, includes sandbox/VM detection, and has so far credited a wallet with ~340 XMR (~$65–70k).