This article discusses a new obfuscation technique used by threat actors to conceal malware within bitmap resources embedded in seemingly benign 32-bit .NET applications. The malware employs a multi-stage process to extract, deobfuscate, load, and execute secondary payloads, ultimately leading to the detonation of the final payload. The analysis focuses on malware samples from recent malspam campaigns targeting financial organizations in Turkey and the logistics sector in Asia. The article provides a detailed technical breakdown of the four stages involved in the malware's execution, from the initial payload to the final Agent Tesla variant. It also offers insights into effective analysis approaches and protection measures against this steganography-based threat.