Recent changes to HeartCrypt-packed malware include a shift in how the malware payload is hidden. Previously, the position-independent code (PIC) was stored in the PE file's resource data, but now the payload is hidden in two separate files disguised as BMP images. These files contain a fake BMP header, followed by junk data, an XOR key, and XOR-encrypted data....