By Zsolt Bizderi in nodes — 14 Oct 2025

Steganography in the Wild

Malware Hiding Commands Inside Images, Audio, or Video Files

In cybersecurity, we often think of malware as a piece of software that downloads a payload, connects to a C2 server, or exploits a vulnerable service. But attackers are also turning to steganography, the art of hiding information in plain sight. This is used to smuggle commands, data, or even full payloads inside everyday media files like images, audio tracks, or video clips. This class of threat is often referred to as stego-malware.

What is Steganography?

Steganography is about concealing information within seemingly harmless files. Unlike encryption (which scrambles data so it looks meaningless), steganography embeds hidden data in such a way that the file looks and behaves normally, such as:

An image might have hidden bits of data encoded in the least significant bits (LSB) of its pixels.
An MP3 file could carry commands in unused ID3 metadata tags.
A video stream might contain payload fragments in the motion vectors of encoded frames.

The goal is to bypass detection by traditional security tools, which tend to focus on anomalies like strange binaries, network signatures, or known malicious IPs; not benign-looking JPEGs or WAVs.

Stego-Malware in Practice

Attackers have weaponised steganography in several real-world campaigns:

Operation Shady RAT (2011–2012): Attackers hid encrypted configuration data inside images hosted on compromised websites.
Stegoloader Trojan (2015): Retrieved its second-stage payload embedded in PNG files, avoiding suspicion during network transfer.
Cerber Ransomware (2017): Delivered its instructions hidden within a JPEG image.
Turla APT (2020): Used Instagram photos to embed malicious C2 instructions.

In these cases, the media file looked normal if opened. Security analysts only discovered the hidden instructions after carefully dissecting the file format and analysing bit-level patterns.

How Stego-Malware Works

A typical workflow looks like this:

Stage 1 Malware (Dropper/Loader):
A small executable or script lands on the victim system, often via phishing or exploit.
Download Stego File:
The loader fetches what looks like a harmless image, song, or video file from a server, cloud bucket, or even a social media post.
Decode Payload:
The loader uses embedded code to extract hidden data from the media file. This could be:
- C2 server addresses
- Encryption keys
- Full binary payloads
- Tasking instructions
Execution:
The extracted data is executed or interpreted as commands, keeping the malware "alive" and adaptive.

To make this more tangible, let's walk through a simplified example. We'll hide a secret message inside the pixels of an image using the Least Significant Bit technique and then extract it back.

Disclaimer: This example is purely educational. Real-world attackers use more advanced, resilient methods.

Step 1: Hiding a Message

from PIL import Image

def encode_message(input_image, output_image, message):
    img = Image.open(input_image)
    encoded = img.copy()
    width, height = img.size
    message += chr(0)  # Null terminator for decoding
    
    data_index = 0
    binary_message = ''.join([format(ord(c), '08b') for c in message])
    
    for y in range(height):
        for x in range(width):
            if data_index < len(binary_message):
                pixel = list(img.getpixel((x, y)))
                # Modify the LSB of the red channel
                pixel[0] = pixel[0] & ~1 | int(binary_message[data_index])
                encoded.putpixel((x, y), tuple(pixel))
                data_index += 1
            else:
                break
    encoded.save(output_image)
    print(f"Message hidden in {output_image}")

# Example usage:
encode_message("cover.png", "stego.png", "attack scheduled at 0300 UTC")

Here:

cover.png is a normal image (any PNG/JPEG works).
stego.png will contain the hidden message.

The least significant bit of each pixel’s red channel is flipped to encode message bits.

Step 2: Extracting the Message

def decode_message(stego_image):
    img = Image.open(stego_image)
    width, height = img.size
    binary_data = ""
    
    for y in range(height):
        for x in range(width):
            pixel = img.getpixel((x, y))
            binary_data += str(pixel[0] & 1)
    
    # Split into bytes and decode until null terminator
    chars = [binary_data[i:i+8] for i in range(0, len(binary_data), 8)]
    message = ""
    for byte in chars:
        char = chr(int(byte, 2))
        if char == chr(0):  # stop at null terminator
            break
        message += char
    return message

# Example usage:
print("Hidden message:", decode_message("stego.png"))

When run, the extraction should print:

Hidden message: attack scheduled at 0300 UTC

So the image still opens and looks normal to the naked eye, but hidden within the pixel values is a covert message; much like stego-malware does with C2 commands or payload fragments. Detection requires deeper analysis than simply scanning for malware signatures.

Techniques for Embedding Malicious Data

Attackers use a variety of steganographic methods, including:

LSB Substitution (Images): Altering the least significant bit of pixel values to store hidden data without visible distortion.
Metadata Abuse (All Media Types): Injecting malicious instructions into EXIF, ID3, or MP4 metadata.
Invisible Text Layers: Inserting payloads into unused chunks of PNG files or padding areas of formats like MP4/MKV.
Protocol Camouflage: Streaming commands inside what appears to be legitimate multimedia traffic.

These techniques allow attackers to bypass traditional IDS/IPS systems and sandboxes, which often discard or ignore media file content.

Detection and Challenges

Detecting stego-malware is notoriously difficult:

Entropy analysis can sometimes reveal hidden data, but attackers often compress or encrypt it.
File size anomalies (e.g, an unusually large PNG for its resolution) may raise red flags.
Steganalysis tools use statistical methods to detect irregular pixel distributions, but these tools are computationally expensive and not widely integrated into commercial EDR/XDR products.

Media is ubiquitous because every enterprise network has images, videos, and audio flowing through it daily. Flagging every JPEG would be infeasible.

Defensive Strategies

To defend against stego-malware, organisations can adopt a layered approach:

Restrict Media Sources: Limit systems that need to download and process external media files, especially on high-value endpoints.
Deep File Inspection: Use security solutions that parse and validate file formats rigorously.
Threat Hunting: Monitor for loaders making unexpected HTTP requests to download seemingly benign media files.
Content Sanitisation (CDR): Strip and rebuild media files to remove non-essential metadata and suspicious payloads before allowing them into secure environments.
Awareness Training: Phishing emails that deliver images could be more dangerous than they appear.

The Bigger Picture

Steganography is an active tool in modern threat campaigns, and defenders need to shift from thinking of malware as "just EXEs" to recognising that any digital artifact can be weaponised.

Next time you see a corporate laptop downloading a random image from Instagram or an MP3 from a sketchy domain, consider: what if the real payload isn't the picture, but the pixels?