When the Zero.T bootloader downloaded three BMP files from a C2 server, the corporate DPI system missed them without a single alert. Three ordinary pictures. Each contained modules of the Enfal ecosystem, packed in junior bats of pixels. According to Securelist, Zero.T is one of at least eight families of malware that actively use steganography to hide communications, and the list is far from complete. The researchers showed on the example of a standard test image of Lenna: two files measuring ~ 786 KB each - empty and with ten chapters of the novel Nabokov inside - are visually indistinguishable. Exactly the same combat containers of APT-groups work. And not a single antivirus blinked.
Why APT Groups Use Steganography in malware
Steganography solves three tasks that neither encryption nor obfuscation separately closes.
Concealment of the very fact of data transmission. Cryptography hides the contents, but the fact of transmitting the encrypted flow is visible to any DPI. Steganographic C2-channel masks the transport: traffic looks like downloading images from a web server. For perimeter protection - legitimate HTTP/HTTPS on standard ports. Nothing suspicious.
Bypassing DPI in corporate networks. Deep packet analysis detects protocol anomalies and known signatures. Stego container is a valid PNG or BMP with a correct header. DPI sees Content-Type: image/png and misses indiscriminately. Formally, a picture. In fact, the shell code is in a beautiful wrap.
Evasion of anti-APT solutions. Securelist researchers have formulated the problem directly: anti-APT products are not able to analyze all graphic files on the corporate network - there are too many of them, and the algorithms of scientoble analysis are.
The scale of the problem: according to Mandiant M-Trends 2025, the median time of the attacker’s presence on the network is 11 days, and 57% of organizations will learn about the incident from the outside. The steromanographic channel directly increases this “window of presence”. According to the IBM X-Force 2025, 70% of attacks affect critical infrastructure – it is there that hidden channels of malware beat the most.
The place of steganography in the attack chain
The concealment of the pelohad in pictures is not an independent technique, but a way of disguising transport. Without a bootloader that extracts data from the container, the stego container is useless. Here’s how it comes to kill chain with a mapping on MITRE AT&CK:
Initial Access. Phishing letter with an attachment - Spearphishing Attachment (T1566.001) The stego container at this stage is usually not used: it is too large for attachment and atypical for phishing.
Execution. The victim opens an attachment - Malicious File (T1204.002) An intermediate bootloader or macro is launched, which initializes the next stage.
Defense Evasion. The downloader downloads a stego container from a legitimate or compromised host. Two technicians work at once: Steganography (T1027.003) for obfuscation of the peyloade and Embedded Payloads (T1027.009) to hide the code inside the media file.
C2 Communication. If sterganography is used as a permanent channel, and not a one-time delivery of the module - Steganography is used (T101.002, command-and-control tactics) The downloader periodically downloads “updated” images with C2, retrieving commands. Feedback can go through Dead Drop Resolver (T1102.001): the agent publishes the results in a coded form on a legitimate service.
Decoding. Load extraction - Deobfuscate/Decode Files or InformationT1140) Decoding algorithm is sewn into the downloader.
Multi-Stage. In complex campaigns, Multi-Stage Channels is used (T1104): The first container contains the configuration of the second channel, the second - modules for post-exploitation. Matryoshka, only instead of wooden dolls - the stage of compromise.
[Applicable: internal and external pentest, modern infrastructure. In legacy environments without HTTPS-inspection, the stego-C2 is almost elusive; in the modern environment with an SSL inspection, there is a chance to detect an anomaly - but only in behavior, not in the contents of the file.]
Data cover methods in graphic containers
LSB-stereganography in images and its variations
LSB (LEST Significant Bit) is the most common method in real malvarium. Secret data is recorded in one or more junior bits of each pixel. For RGB-image, one pixel - three bytes (R, G, B), replacing the last bit of each byte is visually indistinguishable. The human eye will not see the difference, and the loader knows where to look.
Capacity: When using one junior bit in three BMP channels, 8 MB (raw pixel data) can hold about 1 MB of hidden data. For PNG, the capacity depends on the size of the depressed pixel data, rather than on the file size on the disk. Increasing to 2-3 bits increases capacity, but the image quality begins to degrade.
For JPEG, variation based on discrete cosine transformation (PrEP) is used: data is implemented in DCT-coefficients. The capacity is lower - the coefficients with values of 0 and 1 do not change, it is impossible to implement in them. According to Securelist, this method was used by a number of APT-family families for JPEG containers.
Palette steganography - the data are recorded not in pixels, but in the palette of the image. The capacity is low, the implementation is simple. For mass campaigns, it will come down, for a serious peyloade - cramped.
When the technique is NOT working: LSB-steganography is detected by statistical methods - hystogram analysis and RS method. Image compression (conversion PNG->JPEG->PNG) destroys hidden data. Proxys with traffic clamping is theoretically neutralizing the container, but in productive corporate networks, image clamping is rare - no one wants to break interfaces for a hypothetical threat.
Service fields and metadata: hidden commands in documents and images
The payload is placed in the header’s service fields: EXIF-data JPEG, ancillary chunks PNG, BMP comments. The implementation is trivial - arbitrary bytes are recorded in fields that the render engine ignores when displayed.
When the technique is NOT working: low capacity, detected by any metadata viewer. Team exiftool suspicious.jpg Identifies injections in seconds. Nevertheless, the method is used in mass campaigns - because it is easier to write an EXIF-field parser than to implement an LSB decoder.
Overlay: two files in one
The method is based on the fact that the handlers of some formats read the file to the marker of the end of the data and do not continue to look. Classic - RAR-JPEG: RAR-archive is added to the JPEG file. The viewer shows the picture, the archiver - content.
According to Securelist, this is not a steganography in a strict sense, but the method is actively used in the wild. The file size is abnormally large relative to the resolution of the image (picture 100×100 weighs 5 MB - here even the jun analyst will think), and the utility binwalk Allocates overlays in milliseconds.
APT-cases: a genography in real attacks
Zero.T: modules in Bitmap files
Zero.T is a downloader from the Enfall ecosystem discovered in late 2016. The first description was published by Proofpoint, then detailed analysis was conducted by the researchers of Kaspersky Lab. The name comes from the line on the way to the PDB file in the executable code.
Mechanics: after fixing in the system Zero.T loads the payload in BMP format from the C2-server. Each file is a common image for an antivirus. The downloader processes files by extracting malicious modules from junior iconic bits. The number of bits used varies - the algorithm allows for variability.
The Securelist researchers demonstrated a visual attack on Zero.T containers: when constructing new images from LSB planes of various color channels, the filled container differs from an empty characteristic noise. But for the human eye, the two files are identical. That is why stego containers are invisible to EDR solutions (CrowdStrike Falcon, SentinelOne, Elastic EDR 8.x+): the file does not contain the executable code in a explicit form, decoding occurs in the memory of the downloader process. EDR sees a process that “watches the pictures.” Suspicious? No.
Stego-campaigns of other APT-groups
In addition to Zero.T, steganography is used at least: Microcin (AK six little monkeys), NetTraveler, Zberp, Shamon, KinS, ZeusVM and Triton (Fibbit) - according to Securelist, and the list does not claim to be complete.
According to the CYFIRMA report for Q2 2024, RollMid malware installs C2 communication through a three-step process: HTML files, PNG images with steganography and data in Base64-encode. Classic Multi-Stage Channels (T1104): Each stage opens the address of the next, and the stagnanography hides the key link of the chain.
Separately, it is worth mentioning LokiBot - an infosteler known for the theft of accounting data. According to Trend Micro’s analysis, updated LokiBot variants use steganography to hide the code inside JPG files. The malware is set as a .jpg + .exe pair, where JPG contains data for the implementation of malicious code. And here is an important point: quilted-malvar has ceased to be the prerogative of APT and penetrated mass-market. If earlier it was an exotic for targeted attacks, then LokiBot is a massive infostel. The entry threshold is reduced.
Parallel trend: C2 through cloud services
Steganography is not the only way to hide C2 in sight. According to Unit 42, in 2024-2025, the CL-STA-1020 cluster targeted government organizations in Southeast Asia. The group has developed a previously undocumented HazyBeacon backdoor with C2 through AWS Lambda URLs - traffic to amazonaws.com merges with legitimate communications. The common denominator: both stego-C2, and cloud-C2 exploit the trust in the file format and the cloud provider, respectively. Block amazonaws.com in the corporate network? Good luck - half of the infrastructure will lie.
CrowdStrike Falcon, SentinelOne, Elastic EDR 8.x+ - none of these products performs a stego analysis of the downloadable files. They detect the behavior of the downloader (creation of the process, injection in memory), but not the container as such. The picture for EDR is just a picture.
Kaspersky Anti-APT, PT Sandbox - sandboxes analyze the behavior at launch. Image without executable code does not cause triggering: the container is harmless without a bootloader. Fly to the BMP sandbox with peyloade inside - it will say "cleanly".
DPI systems (Palo Alto NGFW, Check Point) - analyze protocol anomalies, but not the contents of media files. The stego container in the valid PNG over HTTPS passes without aerates.
The only working approach is behavioral analysis at the network level. If the endpoint regularly downloads images from one fixed-period host (beaconing), this is a reason for the investigation. Behavioral baselining in Splunk, Elastic SIEM or MaxPatrol SIEM can detect an anomaly, but requires pre-configuration of the baseline for each segment.
The scale of the problem: hundreds of thousands of images are held daily in the corporate network - banners, avatars, CDN content. The stereoyneuro analysis of everyone in real time is not possible at current computing power.
Conclusion
In my experience, SOC teams rarely include stegoanalysis in the playbook. And this is not negligence, but pragmatism: with the median dwell time in 11 days (Mandiant M-Trends 2025), analysts have more important tasks. Pragmatism has a price.
Eight families from the list of Securelist - Microcin, NetTraveler, Zberp, Zero.T, Shamoon, KinS, ZeusVM, Triton (Fibbit) - actively use steganography, and every quarter the list is replenished. RollMid with a three-stage stego-C2 via PNG, updated by LokiBot with steganography in JPEG is no longer an APT-exotic, but a mainstream.
There are no industrial detection tools. No EDR vendor has announced a built-in stego analysis. No DPI system disassembles LSB-plane in real time. Closed circle: the market does not see demand, because incidents with steganography do not fall into the reports - they are not found. They don’t find it because there’s nothing to look for.
The only working approach is indirect: the abnormal frequency of queries to one host, atypical image sizes for the claimed permission, a stable URL structure when downloading pictures. If your SIEM does not have rules on such patterns - it is worth creating at least a basic set. Because stego-C2 from a niche trick turns into a standard tool. At the WAPT course, this chain - from phishing to stego-C2 - is dismantled on real samples with laboratory stands.
Why APT Groups Use Steganography in malware
Steganography solves three tasks that neither encryption nor obfuscation separately closes.
Concealment of the very fact of data transmission. Cryptography hides the contents, but the fact of transmitting the encrypted flow is visible to any DPI. Steganographic C2-channel masks the transport: traffic looks like downloading images from a web server. For perimeter protection - legitimate HTTP/HTTPS on standard ports. Nothing suspicious.
Bypassing DPI in corporate networks. Deep packet analysis detects protocol anomalies and known signatures. Stego container is a valid PNG or BMP with a correct header. DPI sees Content-Type: image/png and misses indiscriminately. Formally, a picture. In fact, the shell code is in a beautiful wrap.
Evasion of anti-APT solutions. Securelist researchers have formulated the problem directly: anti-APT products are not able to analyze all graphic files on the corporate network - there are too many of them, and the algorithms of scientoble analysis are.
The scale of the problem: according to Mandiant M-Trends 2025, the median time of the attacker’s presence on the network is 11 days, and 57% of organizations will learn about the incident from the outside. The steromanographic channel directly increases this “window of presence”. According to the IBM X-Force 2025, 70% of attacks affect critical infrastructure – it is there that hidden channels of malware beat the most.
The place of steganography in the attack chain
The concealment of the pelohad in pictures is not an independent technique, but a way of disguising transport. Without a bootloader that extracts data from the container, the stego container is useless. Here’s how it comes to kill chain with a mapping on MITRE AT&CK:
Initial Access. Phishing letter with an attachment - Spearphishing Attachment (T1566.001) The stego container at this stage is usually not used: it is too large for attachment and atypical for phishing.
Execution. The victim opens an attachment - Malicious File (T1204.002) An intermediate bootloader or macro is launched, which initializes the next stage.
Defense Evasion. The downloader downloads a stego container from a legitimate or compromised host. Two technicians work at once: Steganography (T1027.003) for obfuscation of the peyloade and Embedded Payloads (T1027.009) to hide the code inside the media file.
C2 Communication. If sterganography is used as a permanent channel, and not a one-time delivery of the module - Steganography is used (T101.002, command-and-control tactics) The downloader periodically downloads “updated” images with C2, retrieving commands. Feedback can go through Dead Drop Resolver (T1102.001): the agent publishes the results in a coded form on a legitimate service.
Decoding. Load extraction - Deobfuscate/Decode Files or InformationT1140) Decoding algorithm is sewn into the downloader.
Multi-Stage. In complex campaigns, Multi-Stage Channels is used (T1104): The first container contains the configuration of the second channel, the second - modules for post-exploitation. Matryoshka, only instead of wooden dolls - the stage of compromise.
[Applicable: internal and external pentest, modern infrastructure. In legacy environments without HTTPS-inspection, the stego-C2 is almost elusive; in the modern environment with an SSL inspection, there is a chance to detect an anomaly - but only in behavior, not in the contents of the file.]
Data cover methods in graphic containers
LSB-stereganography in images and its variations
LSB (LEST Significant Bit) is the most common method in real malvarium. Secret data is recorded in one or more junior bits of each pixel. For RGB-image, one pixel - three bytes (R, G, B), replacing the last bit of each byte is visually indistinguishable. The human eye will not see the difference, and the loader knows where to look.
Capacity: When using one junior bit in three BMP channels, 8 MB (raw pixel data) can hold about 1 MB of hidden data. For PNG, the capacity depends on the size of the depressed pixel data, rather than on the file size on the disk. Increasing to 2-3 bits increases capacity, but the image quality begins to degrade.
For JPEG, variation based on discrete cosine transformation (PrEP) is used: data is implemented in DCT-coefficients. The capacity is lower - the coefficients with values of 0 and 1 do not change, it is impossible to implement in them. According to Securelist, this method was used by a number of APT-family families for JPEG containers.
Palette steganography - the data are recorded not in pixels, but in the palette of the image. The capacity is low, the implementation is simple. For mass campaigns, it will come down, for a serious peyloade - cramped.
When the technique is NOT working: LSB-steganography is detected by statistical methods - hystogram analysis and RS method. Image compression (conversion PNG->JPEG->PNG) destroys hidden data. Proxys with traffic clamping is theoretically neutralizing the container, but in productive corporate networks, image clamping is rare - no one wants to break interfaces for a hypothetical threat.
Service fields and metadata: hidden commands in documents and images
The payload is placed in the header’s service fields: EXIF-data JPEG, ancillary chunks PNG, BMP comments. The implementation is trivial - arbitrary bytes are recorded in fields that the render engine ignores when displayed.
When the technique is NOT working: low capacity, detected by any metadata viewer. Team exiftool suspicious.jpg Identifies injections in seconds. Nevertheless, the method is used in mass campaigns - because it is easier to write an EXIF-field parser than to implement an LSB decoder.
Overlay: two files in one
The method is based on the fact that the handlers of some formats read the file to the marker of the end of the data and do not continue to look. Classic - RAR-JPEG: RAR-archive is added to the JPEG file. The viewer shows the picture, the archiver - content.
According to Securelist, this is not a steganography in a strict sense, but the method is actively used in the wild. The file size is abnormally large relative to the resolution of the image (picture 100×100 weighs 5 MB - here even the jun analyst will think), and the utility binwalk Allocates overlays in milliseconds.
APT-cases: a genography in real attacks
Zero.T: modules in Bitmap files
Zero.T is a downloader from the Enfall ecosystem discovered in late 2016. The first description was published by Proofpoint, then detailed analysis was conducted by the researchers of Kaspersky Lab. The name comes from the line on the way to the PDB file in the executable code.
Mechanics: after fixing in the system Zero.T loads the payload in BMP format from the C2-server. Each file is a common image for an antivirus. The downloader processes files by extracting malicious modules from junior iconic bits. The number of bits used varies - the algorithm allows for variability.
The Securelist researchers demonstrated a visual attack on Zero.T containers: when constructing new images from LSB planes of various color channels, the filled container differs from an empty characteristic noise. But for the human eye, the two files are identical. That is why stego containers are invisible to EDR solutions (CrowdStrike Falcon, SentinelOne, Elastic EDR 8.x+): the file does not contain the executable code in a explicit form, decoding occurs in the memory of the downloader process. EDR sees a process that “watches the pictures.” Suspicious? No.
Stego-campaigns of other APT-groups
In addition to Zero.T, steganography is used at least: Microcin (AK six little monkeys), NetTraveler, Zberp, Shamon, KinS, ZeusVM and Triton (Fibbit) - according to Securelist, and the list does not claim to be complete.
According to the CYFIRMA report for Q2 2024, RollMid malware installs C2 communication through a three-step process: HTML files, PNG images with steganography and data in Base64-encode. Classic Multi-Stage Channels (T1104): Each stage opens the address of the next, and the stagnanography hides the key link of the chain.
Separately, it is worth mentioning LokiBot - an infosteler known for the theft of accounting data. According to Trend Micro’s analysis, updated LokiBot variants use steganography to hide the code inside JPG files. The malware is set as a .jpg + .exe pair, where JPG contains data for the implementation of malicious code. And here is an important point: quilted-malvar has ceased to be the prerogative of APT and penetrated mass-market. If earlier it was an exotic for targeted attacks, then LokiBot is a massive infostel. The entry threshold is reduced.
Parallel trend: C2 through cloud services
Steganography is not the only way to hide C2 in sight. According to Unit 42, in 2024-2025, the CL-STA-1020 cluster targeted government organizations in Southeast Asia. The group has developed a previously undocumented HazyBeacon backdoor with C2 through AWS Lambda URLs - traffic to amazonaws.com merges with legitimate communications. The common denominator: both stego-C2, and cloud-C2 exploit the trust in the file format and the cloud provider, respectively. Block amazonaws.com in the corporate network? Good luck - half of the infrastructure will lie.
CrowdStrike Falcon, SentinelOne, Elastic EDR 8.x+ - none of these products performs a stego analysis of the downloadable files. They detect the behavior of the downloader (creation of the process, injection in memory), but not the container as such. The picture for EDR is just a picture.
Kaspersky Anti-APT, PT Sandbox - sandboxes analyze the behavior at launch. Image without executable code does not cause triggering: the container is harmless without a bootloader. Fly to the BMP sandbox with peyloade inside - it will say "cleanly".
DPI systems (Palo Alto NGFW, Check Point) - analyze protocol anomalies, but not the contents of media files. The stego container in the valid PNG over HTTPS passes without aerates.
The only working approach is behavioral analysis at the network level. If the endpoint regularly downloads images from one fixed-period host (beaconing), this is a reason for the investigation. Behavioral baselining in Splunk, Elastic SIEM or MaxPatrol SIEM can detect an anomaly, but requires pre-configuration of the baseline for each segment.
The scale of the problem: hundreds of thousands of images are held daily in the corporate network - banners, avatars, CDN content. The stereoyneuro analysis of everyone in real time is not possible at current computing power.
Conclusion
In my experience, SOC teams rarely include stegoanalysis in the playbook. And this is not negligence, but pragmatism: with the median dwell time in 11 days (Mandiant M-Trends 2025), analysts have more important tasks. Pragmatism has a price.
Eight families from the list of Securelist - Microcin, NetTraveler, Zberp, Zero.T, Shamoon, KinS, ZeusVM, Triton (Fibbit) - actively use steganography, and every quarter the list is replenished. RollMid with a three-stage stego-C2 via PNG, updated by LokiBot with steganography in JPEG is no longer an APT-exotic, but a mainstream.
There are no industrial detection tools. No EDR vendor has announced a built-in stego analysis. No DPI system disassembles LSB-plane in real time. Closed circle: the market does not see demand, because incidents with steganography do not fall into the reports - they are not found. They don’t find it because there’s nothing to look for.
The only working approach is indirect: the abnormal frequency of queries to one host, atypical image sizes for the claimed permission, a stable URL structure when downloading pictures. If your SIEM does not have rules on such patterns - it is worth creating at least a basic set. Because stego-C2 from a niche trick turns into a standard tool. At the WAPT course, this chain - from phishing to stego-C2 - is dismantled on real samples with laboratory stands.
