GHOSTPULSE malware has evolved to embed malicious data within pixel structures of PNG files, replacing its previous IDAT chunk technique. Recent campaigns involve social engineering tactics, tricking victims with CAPTCHA validations that trigger malicious commands through keyboard shortcuts. The malware now parses image pixels to retrieve its configuration and payload, using a CRC32 hash for verification. Elastic Security has updated its YARA rules and configuration extractor tool to detect and analyze both old and new versions. The new approach streamlines deployment to a single compromised executable with the PNG file in its resources section.