Tag: steganography

24 Attack Reports | 0 Vulnerabilities

Attack reports

Operation Artemis: Analysis of HWP-Based DLL Side Loading Attacks

The 'Artemis' campaign, conducted by APT37, utilizes malicious HWP documents with embedded OLE objects to initiate attacks. The threat actor impersonates legitimate entities to gain trust before delivering the payload. The attack chain combines HWP execution with DLL side-loading techniques to evad…
rokrat
south korea
steganography
dll side-loading
spear-phishing
ole
hwp
cloud infrastructure
2025-12-22
Published: December 22, 2025
Downloadable IOCs: 0

Operation MoneyMount, ISO Deploying Phantom Stealer

A Russian phishing campaign targeting finance and accounting sectors uses fake payment confirmation emails to deliver Phantom stealer malware. The attack chain involves a ZIP file containing an ISO, which when mounted reveals an executable that loads the stealer. The malware employs anti-analysis t…
phishing
russia
exfiltration
steganography
credential theft
finance
multi-stage attack
phantom stealer
2025-12-12
iso
Published: December 12, 2025
Downloadable IOCs: 4

ClickFix Gets Creative: Malware Buried in Images

A multi-stage malware execution chain originating from a ClickFix lure has been discovered, leading to the delivery of infostealing malware like LummaC2 and Rhadamanthys. The campaign utilizes steganography to hide malicious code within PNG images. Two distinct ClickFix lures were observed: a stand…
social engineering
lummac2
rhadamanthys
infostealer
steganography
clickfix
multi-stage
2025-11-24
windows update
Published: November 24, 2025
Downloadable IOCs: 12

Sophisticated Tuoni C2 Attack on U.S. Real Estate Firm Thwarted

In October 2025, a major U.S. real estate company was targeted by a highly advanced cyberattack using the emerging Tuoni C2 framework. The attack, which showed signs of AI assistance in code generation, was neutralized by Morphisec's Automated Moving Target Defense (AMTD) technology. The campaign l…
powershell
steganography
in-memory execution
ai-assisted
real estate
2025-11-19
tuoni c2
prevention
amtd
tuoni
Published: November 19, 2025
Downloadable IOCs: 4

Brazilian Caminho Loader Employs LSB Steganography and Fileless Execution to Deliver Multiple Malware Families Across South America, Africa, and Eastern Europe

A new malware loader called Caminho, originating from Brazil, has been identified using steganography to hide .NET payloads in image files hosted on legitimate platforms. Active since March 2025, the campaign has evolved significantly, delivering various malware types across South America, Africa, …
xworm
steganography
africa
brazil
remcos rat
fileless execution
eastern europe
katz stealer
south america
loader-as-a-service
2025-10-22
caminho loader
Published: October 22, 2025
Downloadable IOCs: 0

XWorm RAT Delivered via Shellcode: Multi-Stage Attack Analysis

This analysis details a sophisticated multi-stage attack delivering the XWorm RAT. The campaign begins with a phishing email containing a malicious .xlam file. The file harbors embedded shellcode that, when executed, retrieves a secondary payload. This payload is a .NET binary that reflectively loa…
obfuscation
xworm
rat
phishing
steganography
shellcode
.net
multi-stage attack
reflective dll injection
2025-09-29
Published: September 29, 2025
Downloadable IOCs: 8

FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography

A sophisticated FileFix attack campaign has been discovered, marking the first use of this technique beyond proof-of-concept. The attack employs a complex phishing infrastructure, including a multilingual site mimicking Facebook security. It uses steganography to conceal malicious code in images, w…
obfuscation
phishing
social engineering
infostealer
steganography
stealc
filefix
2025-09-16
multistage payload
Published: September 16, 2025
Downloadable IOCs: 17

Gh0st RAT-based GodRAT attacks financial organizations

A newly identified Remote Access Trojan named GodRAT, based on the Gh0st RAT codebase, has been targeting financial firms since September 2024. The attackers distribute malicious .scr files via Skype, using steganography to embed shellcode in images. GodRAT supports plugins and is used alongside br…
steganography
asyncrat
gh0st rat
financial-sector
2025-08-19
skype
password-stealer
awesomepuppet
ms edge password stealer
godrat
chrome password stealer
Published: August 19, 2025
Downloadable IOCs: 0

AI brings back real trojan horse malware

Trojan horses, once rare, are making a resurgence due to AI and Large Language Models (LLMs). These new trojans, disguised as legitimate applications like recipe apps or AI-powered image search tools, are evading traditional security measures. They appear professional, pass VirusTotal scans, and ex…
steganography
ai
virustotal
llm
2025-08-13
justaskjacky
antivirus evasion
tamperedchef
trojan horse
Published: August 13, 2025
Downloadable IOCs: 0

RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies

A new variant of RoKRAT malware used by APT37 has been identified, employing a two-stage encrypted shellcode injection method and steganography to conceal malicious code in image files. The malware uses shortcut files with embedded commands to execute its attack, distributed via compressed archives…
apt
dropbox
rokrat
cloud
injection
steganography
shellcode
edr
fileless
xor
2025-08-07
Published: August 7, 2025
Downloadable IOCs: 0

Likely Belarus-Nexus Threat Actor Delivers Downloader to Poland

A malicious CHM file targeting Poland was discovered, containing an infection chain that drops and executes a C++ downloader. The CHM file displays a decoy image while executing obfuscated JavaScript to extract and run a DLL. The downloader retrieves a payload from a domain associated with previous…
steganography
downloader
2025-07-14
scheduled-task
Published: July 14, 2025
Downloadable IOCs: 9

DCRAT Impersonating the Colombian Government

A new email attack distributing DCRAT, a Remote Access Trojan, has been uncovered. The threat actor impersonates a Colombian government entity to target organizations in Colombia. The attack employs multiple evasion techniques, including password-protected archives, obfuscation, steganography, base…
obfuscation
phishing
persistence
steganography
dcrat
credential harvesting
remote access trojan
colombia
2025-07-02
Published: July 2, 2025
Downloadable IOCs: 8

More Steganography!

A malicious Excel file using steganography was analyzed, revealing embedded XLS sheets and a complex infection chain. The file downloads an HTA file that creates a BAT file, which in turn generates and executes a VBS file. The VBS file fetches a VBA script that creates and runs a PowerShell script.…
powershell
steganography
excel
base64
dll
vbs
katz stealer
hta
2025-06-14
Published: June 14, 2025
Downloadable IOCs: 0

Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources

This article discusses a new obfuscation technique used by threat actors to conceal malware within bitmap resources embedded in seemingly benign 32-bit .NET applications. The malware employs a multi-stage process to extract, deobfuscate, load, and execute secondary payloads, ultimately leading to t…
obfuscation
steganography
malspam
.net
agent tesla
remcos rat
multi-stage
xloader
2025-05-09
bitmap
Published: May 9, 2025
Downloadable IOCs: 0

Steganography Analysis With pngdump.py

This article discusses the analysis of a PNG file containing hidden malicious content using the pngdump.py tool. The image, 31744 pixels wide and 1 pixel high, was found to have a PE file embedded in its pixel data. The author demonstrates how to extract the hidden file using various Python tools a…
malware
python
steganography
2025-04-26
pe file
data extraction
file analysis
png
pngdump
Published: April 26, 2025
Downloadable IOCs: 0

Operation Sea Elephant: The Dying Walrus Wandering the Indian Ocean

The CNC group, with South Asian origins, has been targeting domestic teachers, students, and research institutions. Their operation, named 'sea elephant', aims to spy on scientific research achievements in the ocean field. The group employs various tactics, including spear-phishing emails, IM softw…
steganography
keylogging
south asia
usb propagation
file stealing
2025-04-10
sogou_pinyinupdater.exe
scientific espionage
tericerit.exe
srclogsys.exe
cachestore.exe
github api
konlinesetupupdate_xa.exe
ocean research
windowassistance.exe
huaweihisuiteservice64.exe
filecoauthx86.exe
aliyun_updater64.exe
youdaogui.exe
mscleanup64.exe
windowsfilters.exe
qaxreporter.exe
Published: April 10, 2025
Downloadable IOCs: 0

New Steganographic Campaign Distributing Multiple Malware Variants

A sophisticated steganographic campaign has been observed distributing multiple stealer malware variants, including Remcos, DcRAT, AgentTesla, and VIPKeyLogger. The infection chain begins with a phishing email containing an Excel file that exploits CVE-2017-0199. This leads to the download of an HT…
obfuscation
phishing
remcos
steganography
asyncrat
dcrat
CVE-2017-0199
process hollowing
remote access trojan
agenttesla
vipkeylogger
2025-03-17
Published: March 17, 2025
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 13

Formbook Phishing Campaign with old Payloads

A recent phishing campaign has been observed delivering Formbook stealers through email attachments. The malware uses multiple stages and steganography to hide malicious files inside images. The infection chain involves three stages before the final payload: Purchase Order.exe, Arthur.dll, and Mont…
phishing
steganography
process-hollowing
2025-01-07
xml
formbook stealer
Published: January 7, 2025
Downloadable IOCs: 1

The Mobile Malware Chronicles: Necro.N - Volume 101

Zimperium's zLabs researchers have been tracking Necro.N, a highly intrusive mobile malware campaign, since July. This malware, potentially succeeding Joker, uses obfuscation and steganography to hide malicious payloads within images. It downloads payloads from C2 servers, enabling remote code exec…
obfuscation
steganography
c2 server
mobile malware
2024-10-21
joker
necro.n
libsvm.so
fleeceware
advertising sdk
libcoral.so
Published: October 21, 2024
Downloadable IOCs: 6

The Dark Knight Returns: Joker malware analysis

The report details sophisticated command and control (C2) techniques employed by the APT41 threat group. APT41 uses custom malware and legitimate tools to maintain persistent access to compromised networks while evading detection. Key techniques include DNS tunneling, domain fronting, and steganogr…
evasion
steganography
dns tunneling
social media
2024-10-03
command and control
apt41
cloud services
domain fronting
Published: October 3, 2024
Downloadable IOCs: 8

Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders

A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
backdoor
apt
cobalt strike
persistence
steganography
vietnam
2024-09-03
dll side-loading
com hijacking
human rights
Published: September 3, 2024
Downloadable IOCs: 46

Secret Message: Steganography Tricks of TA558 Group in Cyber Attacks on Enterprises in Russia and Belarus

F.A.C.C.T.'s Threat Intelligence analysts have investigated numerous cyberattacks by the TA558 group targeting enterprises, government institutions, and banks in Russia and Belarus. The attacks aimed to steal data and gain access to the organization's internal systems. TA558 used multi-stage phishi…
malware
phishing
social engineering
russia
belarus
remcos
steganography
CVE-2017-11882
agent tesla
2024-07-30
Published: July 30, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 74

To the Moon and back(doors): Lunar landing in diplomatic missions

ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
backdoor
apt
espionage
steganography
2024-05-16
2024-05-11
diplomacy
lunarweb
lunarmail
Published: May 16, 2024
Downloadable IOCs: 12

RemcosRAT Distributed Using Steganography

Security researchers have discovered a campaign distributing RemcosRAT through a sophisticated infection chain involving steganography techniques. The attack starts with a malicious Word document exploiting template injection, leading to the download of an RTF file that leverages an equation editor…
obfuscation
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
steganography
remcosrat
process-hollowing
malicious-documents
Published: May 8, 2024
Downloadable IOCs: 4
Click here to see more Attack Reports