1. Home
  2. Techniques
  3. Enterprise
  4. Data Obfuscation
  5. Steganography

Data Obfuscation: Steganography

ID Name
T1001.001 Junk Data
T1001.002 Steganography
T1001.003 Protocol or Service Impersonation

Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.

ID: T1001.002
Sub-technique of:  T1001
Tactic: Command and Control
Platforms: ESXi, Linux, Windows, macOS
Version: 1.1
Created: 15 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0001 Axiom

Axiom has used steganography to hide its C2 communications.[1]
S0187 Daserf

Daserf can use steganography to hide malicious code downloaded to the victim.[2]
S0038 Duqu

When the Duqu command and control is operating over HTTP or HTTPS, Duqu uploads data to its controller by appending it to a blank JPG file.[3]
S0037 HAMMERTOSS

HAMMERTOSS is controlled via commands that are appended to image files.[4]
S0395 LightNeuron

LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.[5]
S1142 LunarMail

LunarMail can parse IDAT chunks from .png files to look for zlib-compressed and AES encrypted C2 commands.[6]
S1141 LunarWeb

LunarWeb can receive C2 commands hidden in the structure of .jpg and .gif images.[6]
C0023 Operation Ghost

During Operation Ghost, APT29 used steganography to hide the communications between the implants and their C&C servers.[7]
S0495 RDAT

RDAT can process steganographic images attached to email messages to send and receive C2 commands. RDAT can also embed additional messages within BMP images to communicate with the RDAT operator.[8]

S0633 Sliver

Sliver can encode binary data into a .PNG file for C2 communication.[9]
S0559 SUNBURST

SUNBURST C2 data attempted to appear as benign XML related to .NET assemblies or as a faux JSON blob.[10][11][12]
S0230 ZeroT

ZeroT has retrieved stage 2 payloads as Bitmap images that use Least Significant Bit (LSB) steganography.[13][14]
S0672 Zox

Zox has used the .PNG file format for C2 communications.[1]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0235 Detecting Steganographic Command and Control via File + Network Correlation AN0651

Detect the creation or modification of common media file formats (e.g., .jpg, .png, .wav) following suspicious process activity like compression or encryption, especially when paired with lateral movement or exfiltration behavior.
AN0652

Unusual use of steganographic or media processing binaries (e.g., steghide, ffmpeg, imagemagick) followed by outbound communication to external IPs with high data output and media MIME types.
AN0653

Abnormal usage of Preview, ImageMagick, or binary editors to alter images/documents, followed by exfiltration or outbound connections with mismatched file MIME types or payload structure.
AN0654

Suspicious modification of file artifacts (e.g., logs, ISO templates) on ESXi datastores, followed by beaconing or POST operations to external IPs potentially hiding payloads in file-like traffic.

References

  1. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  2. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  3. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  4. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024.
  5. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  6. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  7. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  1. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  2. BishopFox. (n.d.). Sliver HTTP(S) C2. Retrieved September 16, 2021.
  3. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  4. Stephen Eckels, Jay Smith, William Ballenthin. (2020, December 24). SUNBURST Additional Technical Details. Retrieved January 6, 2021.
  5. Symantec Threat Hunter Team. (2021, January 22). SolarWinds: How Sunburst Sends Data Back to the Attackers. Retrieved January 22, 2021.
  6. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  7. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.