Skip to main content

Steganography Secrets: Malware Hidden in Plain Sight

May 20, 2026

By: Jacob Malimban, Intelligence Team

Threat actors are abusing image file hosting websites and file sharing services to deliver malware while evading enterprise security controls. Unlike more common, relatively simplistic, modern-day threats, these threat actors appear to be more sophisticated and less likely to send large-scale, minimally targeted attacks. The threat actors use a combination of steganography, encodings, and multiple delivery mechanisms to deliver remote access trojans (RATs), information stealers, and other malware, and are often successful at evading Endpoint Detection and Response (EDR) tools. The evidence for greater threat actor effort is also made apparent by the increased use of personally identifying information to customize email subjects and attachments, as compared to regular phishing. This report covers the infection chain, the image file hosting websites, and the malware used in steganographic campaigns.

Steganography is the act of using one obvious object or file to hide some secret information inside the object or file in a way that is not easily detected. Although this technique has many forms, like text steganography and audio steganography, this report will focus on image file steganography. Threat actors are embedding malicious content into seemingly benign images. When the file is viewed in an image-viewing software, it appears no different from other .png or .jpeg image files. Even tools used to extract hidden executables typically fail as the malware is obfuscated and encoded before it is embedded. When the file is accessed by the threat actor’s delivery mechanism, malicious content can be decoded and executed.

Key Points

  • 23% of the steganography images were hosted by archive[.]org
  • 27% of these steganography campaigns delivered Remcos RAT.
  • Most of these campaigns use a DotNET Loader DLL for privilege escalation and to run the malware in memory.
  • The most frequently used images appear to be taken from desktop background providing websites.

Context and Background Information

For campaigns delivering, or attempting to deliver, malware, Cofense Intelligence separates digital content being used by threat actors for malicious purposes into two types: malware and delivery mechanisms. Malware is typically the final payload that lets threat actors steal information, encrypt and ransom data, or otherwise provide threat actors with some type of remote access to an infected device. Delivery mechanisms are the tools that bypass security controls and allow the malware to be delivered. The steganography campaigns in this report often involve multiple precursor delivery mechanisms before delivering the final malware and running it in a way that is not easy for most EDR to detect.

Malware

Malware is a stand-alone, runnable, malicious package that allows threat actors to take action on the victim’s computer. These activities include things like having remote administrative access, keylogging, stealing information, or encrypting and ransoming data. By infecting machines, threat actors can further their financial, political, or personal goals. In an infection chain (see Figure 1), malware is typically the final payload and the last step.

Delivery Mechanisms

Delivery mechanisms are the methods that threat actors use to deliver malware. Instead of attaching malware directly to the email in archive file, which would be easily detected and stopped by modern security measures, an intermediary file that won’t be blocked by Integrated Cloud Email Security (ICES) can be attached or provided via an embedded link instead. The success of a delivery mechanism depends on the malware being properly loaded onto a victim computer. Whether by using an infected document exploit like CVE-2017-11882, a benign PDF with a link to a phishing website, or a JavaScript file that downloads an image and decodes another malicious file, threat actors have many ways to deliver malware.

Steganography

One definition of steganography is “the practice of representing information within another message or physical object, in such a manner that the presence of the concealed information would not be evident”. Text steganography includes techniques like hiding a message in an essay by using the beginning of each sentence. Image steganography includes techniques like hiding text in an image that can only be viewed by special software. This report focuses on threat actors who use image steganography to hide a malicious file in an image.

The Steganography Campaign

  • 72% of all steganography campaigns used Finance themes.
  • Steganography campaigns first peaked in 2024.
    • Levels have stabilized and remained similar throughout 2025.
    • This may be due to threat actors preferring to abuse technically legitimate remote access tools instead.

 Steganography Secrets 1

Figure 1: Infection chain of a campaign delivering Remcos RAT while using a steganographic image.

Cofense Intelligence first started tracking the steganography technique as a distinct tactic, technique, or procedure (TTP) in 2023. Although there have been changes in both the delivery chain and final malware, most steganography campaigns use a DotNET Loader embedded in the image file that is specifically designed to deliver the final malware in a way that is difficult to detect and prevent.

 Steganography Secrets 2

Figure 2: A finance-themed phishing email that delivers Remcos RAT via JavaScript and image steganography.

One of the most prominent steganography campaigns is a JavaScript (JS) Dropper to DotNET Loader to a Remcos RAT. Like the infection chain depicted in Figure 1, which originates with the email in Figure 2, a phishing email references some document, like a purchase order confirmation. The fake confirmation document comes as either a direct email attachment or from a download after clicking a URL embedded in the email. Like a real PDF file, this downloaded malicious file is up to a few megabytes in size. In this campaign, the JS Dropper was the initial delivery mechanism, attached to the email. If the file is run by a victim, a benign online document is usually opened while the rest of the infection happens silently in the background.

After running the JS Dropper, a malicious image file that is typically designed to look like a desktop background image file is downloaded. Although the image file in these campaigns is usually benign and can usually be viewed safely, it contains special content that the JS Dropper can access and decode. The JS Dropper accesses the malicious image file and performs steganography to extract a DotNET Loader DLL.

Although the JS Dropper could drop and run a Remcos RAT executable, the malware sample will persist on the computer and would likely be detected and quarantined by EDR as soon as it was dropped to disk. More experienced threat actors prefer to minimize evidence to avoid detection and analysis. This is why Remcos RAT is loaded into the memory of a running legitimate program by a DotNET Loader instead. By using a DotNET Loader, Remcos RAT can be injected into the memory of a legitimate program like Windows Explorer and avoid detection.

Malware that is injected into another process can be difficult to analyze. Instead of a program containing just the legitimate program’s code, the malware is loaded alongside it and executed as well. These types of malwares are typically configured to run directly from memory and leave no file artifacts. Security solutions that rely on static file indicators rather than behavioral analysis may have difficulties detecting these types of malwares.

DotNET Loaders usually perform privilege escalation which allows the malware to run as administrator and avoid additional detection mechanisms. The DotNET Loader can also configure fileless persistence mechanisms so that the malware will return after restarting the computer. One example of a fileless persistence mechanism is when threat actors put malware in the Windows Registry which automatically runs after a computer turns on.

Steganography Picture Locations

  • At 40% of volume, uploaddeimagens[.]com[.]br was the domain most abused to host malicious image files.
  • archive[.]org was the 2nd most abused domain, with 23% of historical volume.
  • Other notable abused domains include github[.]com and cdn[.]discordapp[.]com.

Just as cloud collaboration platforms face abuse, image hosting websites are also susceptible. Image hosting websites may have a harder time monitoring for potentially malicious content, as it is not as easily detected by a scan as an executable or malicious script. For this campaign, the distinction between regular images and malicious ones is that malicious images contain embedded malware that can be decoded by a delivery mechanism. The steganography technique obfuscates the malicious content and makes the image appear benign. Additionally, many of the images used still have intact metadata such as device creator, copyright information, and time stamps when the image was taken by a camera. This makes it even more difficult to detect that the images have malicious content.

 Steganography Secrets 3

Figure 3: Thumbnails of images containing an embedded DLL which is extracted via steganography.

Although these tampered images can be uploaded to any website that hosts images, threat actors appear to have settled on certain sites. Appearing in 40% of the campaigns, uploaddeimagens[.]com[.]br was used from 2023 to 2024. Security vendors started marking the domain as malicious, so threat actors started using different websites in 2025. Archive[.]org was one of these websites that gained traffic. It now constitutes 23% of the historical steganography campaign volume. Security solutions may find it hard to discern viewing benign cover art from downloading a malicious picture.

Steganography Picture Analysis

  • Malicious steganography images in this campaign look indistinguishable from benign images.
  • Although malicious images contain embedded files, threat actors can minimize the increase in size to under a megabyte.
    • Image sizes range from 164 kB to 6.1 MB
    • The extracted .dll file sizes range from 10.2 kB to 11.9 MB

Steganography Secrets 4

Figure 4: Strings view of the malicious steganographic image in the center of Figure 3.

In Figure 4, the strings dump of the steganographic image from the center of Figure 3 is shown on the left with the image on the right. As expected, the start of the strings is just fragmented words from the metadata of the image. Near the bottom left half, there starts to be a large number of letters and the text “BaseStart-”. This is not normal for regular pictures. In Figure 4, there is a Base64 encoded DotNET Loader embedded in the steganographic image.

Base64 encoding is another way to represent binary data. Just as ASCII converts computer bits to English characters, Base64 is also a data conversion method. One modern use case for Base64 is to convert email attachments to text. Using a standard Base64 encoding helps ensure compatibility between different computers. For threat actors, however, Base64 is a simple way to obfuscate something malicious.

Steganography Secrets 5

Figure 5: Base64 decode of the string from Figure 4 reveals an embedded file.

The embedded file is not obvious when looking at the picture through a regular image viewing software, as seen in Figure 3. This malicious function is only apparent when security researchers analyze the infection chain. In Figure 5, when decoding the string found as text in the image, the output begins with “MZ”. Files that begin with the letters MZ are typically Windows executable programs. For this sample, only Base64 encoding was used, but threat actors with more resources can also use encryption.

Malware Delivered via Steganography

  • 27% of steganography campaigns deliver Remcos RAT.
  • 21% of steganography campaigns deliver Agent Tesla Keylogger.
  • 18% of steganography campaigns deliver XWorm RAT.
  • Over 15 different malware families are delivered.

Steganography Secrets 6

Figure 6: Malware families delivered in steganography campaigns.

The #1 malware most delivered in steganography campaigns is Remcos RAT. At 27% of the volume, it is likely the top choice for threat actors due to the ease of acquisition and ease of use. Although this follows the trend of Git Website Repository Abuse, this is in opposition to the rise in legitimate remote access tool abuse. Agent Tesla Keylogger is #2 at 21% of total volume. It is primarily a keylogger, however, Agent Tesla Keylogger can also search computer files for interesting content, take screenshots, steal passwords, and exfiltrate stolen data via several different methods. XWorm RAT is #3 by volume, consisting of 18% of campaigns. Like Remcos RAT, the RAT functions in XWorm are useful to threat actors looking to take administrative control of a computer. FormBook is #4 by overall campaign volume, at 6% of campaigns. It is an information stealer that records keystrokes, takes screenshots, and steals credentials. Note that other threat actors have used Remcos RAT and XWorm RAT to deliver Ransomware previously .

Conclusions

This report shows the dangers in steganographic campaigns since 2023. Like the other next generation Tactics, Techniques, and Procedures (TTPs), threat actors using steganography often perform narrow-scope, stealthier attacks compared to the usual overwhelming phishing volume attacks. Some key points include the tendency for steganographic campaigns to be finance-themed, the abuse happening with image hosting websites including archive[.]org and github[.]com, and the delivery of Remcos RAT and Agent Tesla Keylogger. Security analysts may have difficulties parsing legitimate image traffic from a malicious delivery mechanism, decoding payloads and downloading steganographic images. It is up to email recipients to determine whether an email appears to be phishing, or an attachment file type looks suspicious.