Researchers at Trend Micro discovered that new strains of LokiBot use image files to hide code needed for its unpacking routine. Analysis showed that the image hosted the encrypted binary the malware needs for different unpacking stages, which lead to LokBot being decrypted in the RAM of the infected system. LokiBot can steal browser information from over 25 different products, check for remote administration tools (SSH, VNC, RDP) and find credentials for email and file transfer clients. Researchers note that this strategy not only enables LokiBot to evade detection but also helps it with persistence on the compromised machine.
Source: https://www.bleepingcomputer.com/news/security/lokibot-uses-image-files-to-hide-code-for-unpacking-routine/