> Technique · CPlApplet PNG Payload Dropper_

~/packetpursuit $ cat /intel/techniques/cplapplet-png-payload-dropper.md

typetechniqueconfidencehighcreated2026-06-15updated2026-06-15dropperscreensaverpng-stegoapi-hashinganti-debug

CPlApplet PNG Payload Dropper

A two-stage dropper pattern where a CPlApplet DLL (often with a .scr extension) masquerades as a Windows screensaver. Instead of containing the malicious payload inline, it expects a companion file named payload.png in the same directory. The PNG is a custom container: it uses standard PNG chunk markers (IDAT, IEND) but the data inside is encrypted (XOR loop) and compressed with a custom byte-pair algorithm. The dropper extracts, decrypts, and decompresses the payload, writes it to disk as kernelbase.dll, and executes it via CreateProcessA. Heavy anti-debug, API hashing, and self-erasure are common.

Key Behaviours

  • CPlApplet export as entry point
  • payload.png companion-file dependency
  • Custom PNG chunk parser (IDAT extraction, IEND termination)
  • XOR-loop decryption with static .rdata key
  • Custom byte-pair decompression
  • Dynamic API resolution via GetProcAddress after name hashing
  • .text self-erasure before payload execution