Attacks such as these can seem stealthy at the surface level, but understanding each step of how the malware operates can allow defenders to implement alerts that detect multiple malware families. The first detection is looking for processes making unusual network connections such as Microsoft Word or PowerShell connecting to GitHub. While there are many legitimate uses for PowerShell to make this kind of connection, it should not be so common that investigating such events should be brushed off. Along that same vein, PowerShell should also not be connecting to imgur.com in normal circumstances. It should also be rare for PowerShell to be directly interacting with images and using System.Drawing in the command line. There have been many documented cases where PowerShell is utilized for steganography within the past year, and looking at connections by unusual processes can bring high-value low-volume detections. Further investigation into the shellcode also provides the domain portmap[.]host, which is one of the domains used by a port forwarding service portmap.io. Enterprise security teams should consider alerting or blocking connections to any domain ending in portmap.io or portmap.host, or the IP addresses in Russia where these domains resolve: 192.161.193.3 and 192.161.193.4.

References:
https://www.bleepingcomputer.com/news/security/github-hosted-malware-calculates-cobalt-strike-payload-from-imgur-pic/
https://www.shodan.io/search?query=portmap.io