Steganographic payload extraction is the process by which malware retrieves hidden data from carrier files, typically images. Each extraction technique corresponds to a specific embedding method, from reading bytes after an end-of-file marker to reconstructing payloads from individual pixel colour values. Understanding the extraction code that malware executes reveals the embedding method used, the post-extraction processing required, and the detection opportunities available to defenders.
"Steganography" is often discussed as though it were a single technique. It is not. It is a family of distinct methods, each with its own extraction logic, capacity constraints, and detection characteristics. The code a malware sample runs to recover its payload from an image varies enormously between campaigns. An XWorm variant scanning for a Base64 flag marker after a JPEG's FFD9 byte has almost nothing in common with OceanLotus reconstructing AES-encrypted payload bits from the least significant bits of PNG pixel values. The embedding differs. The extraction code differs. The detection approach differs. And critically, what the defender recovers after successful extraction differs. This article examines five distinct extraction methods from the attacker's perspective: what the malware code actually does to get the payload out. A companion article covers detection techniques from the defender's perspective, including statistical analysis, entropy measurement, and practical workflow. Here, the focus is on the extraction logic itself and what it tells defenders about the threat they are facing.
Five extraction methods
Steganographic extraction techniques cluster into five categories based on where the payload is stored and how the malware locates and reassembles it. Each category has distinct code patterns, capacity limits, and forensic signatures. The order below roughly follows increasing implementation complexity, though not necessarily increasing detection difficulty.
<<BASE64_START>> appended after the image data, then extracted everything following it. The payload was a Base64-encoded MZ executable (identifiable by the characteristic TVq prefix in its Base64 form). The entire extraction logic was fewer than ten lines of code: open the file, find the marker, decode Base64, write to disk, execute.
Variants of this technique use different signalling mechanisms. Some calculate a fixed byte offset from the end of the file. Others use custom delimiter sequences. The GhostPoster campaign used triple equals signs or four greater-than symbols as delimiters, varying across extension variants. Regardless of the signalling method, the underlying principle is identical: payload bytes sit outside the image format boundary, invisible to parsers but trivially accessible to code.Detection difficulty: Low. The file is larger than its image dimensions require. Entropy analysis reveals a sharp transition at the end-of-file marker: structured image data on one side, high-entropy payload on the other. Format-aware scanners that compare actual file size against expected size catch this reliably. The technique persists because many security tools still treat image files as opaque blobs and never perform this comparison.
BlackBerry Cylance's 2019 research described the OceanLotus implementation as bespoke and therefore not easily prone to detection by standard analysis tools. By layering AES-128 encryption and XOR obfuscation on top of LSB encoding, the group ensured that statistical tests targeting raw LSB patterns would find only the uniform distribution characteristic of encrypted data, not the structured patterns those tests are designed to detect.
Detection difficulty: High when encrypted. Statistical tests such as chi-square analysis and RS analysis are effective at detecting unencrypted LSB embedding because the encoding process creates measurable distortions in pixel value pair distributions. However, when the payload is encrypted before embedding, as OceanLotus and Witchetty both did, the embedded bits are statistically indistinguishable from random noise. The encrypted data produces a uniform distribution that defeats the very statistical anomalies these tests rely on. For a detailed treatment of chi-square and RS analysis methods, see Steganography Detection Techniques.
Detection difficulty: Low to Medium. Metadata inspection tools exist and are widely available. The challenge is that most security products do not examine image metadata for executable content. A JPEG with PHP code in its EXIF Comment field passes through email gateways, web application firewalls, and antivirus scanners without triggering alerts. Detection requires purpose-built rules that scan metadata fields for code patterns: eval, base64_decode, exec, script syntax, or high-entropy binary data in fields that should contain human-readable text.
Detection difficulty: Medium. IDAT-embedded payloads produce measurable anomalies. The entropy of individual IDAT chunks is higher than expected for typical image content, often approaching 8.0 bits per byte. The number of IDAT chunks may be unusual. Marker scanning patterns can be detected through YARA rules targeting specific byte sequences within the compressed stream. However, distinguishing a payload-bearing IDAT from a legitimately high-entropy photographic image requires contextual analysis rather than simple thresholds.
getIcon and iconStreamFromIcon APIs in PDF readers to extract data from embedded image streams within the document. The extraction was invisible to users because it operated through the document's internal scripting capabilities rather than external network connections. The payload was encoded within an image stream that the PDF legitimately contained, making structural analysis of the PDF appear clean.Detection difficulty: Medium to High. Offset-marker extraction leaves minimal forensic traces. The marker itself is a short sequence of bytes at a known position, indistinguishable from random data without knowledge of the format. The payload occupies a region that may overlap with or replace legitimate document content. Detection requires either prior knowledge of the specific marker format used by a given campaign, or anomaly detection at the document structure level: unexpected leading bytes in PDFs, oversized embedded resources, or JavaScript accessing image stream APIs in ways that do not correspond to visible document elements.
The encryption layer problem
Successful extraction is rarely the end of the analysis. In the majority of documented campaigns, the extracted payload is encrypted, encoded, or both. Steganography conceals the data's existence. Encryption protects its contents. The two layers serve complementary purposes, and defeating one does not automatically defeat the other.
OceanLotus layered AES-128 and XOR on top of LSB encoding. Turla's LightNeuron used AES-256 to encrypt commands embedded via offset markers. XWorm's StegoCampaign applied AES-ECB encryption to its appended payloads. IcedID uses RC4 with a key embedded in the carrier image itself. GHOSTPULSE v1 combined XOR decryption with LZNT1 decompression. In every case, a defender who successfully identifies and extracts the steganographic payload is left holding ciphertext that requires a second, entirely separate analytical pass.
This is where the distinction between detection and analysis becomes critical. A steganographic detector can identify that hidden data exists. It may even extract the raw bytes. But if those bytes are AES-encrypted, the detector has produced an artefact that reveals nothing about the threat without the corresponding decryption key. Key recovery, cipher identification, and decryption are separate disciplines from steganographic extraction. For a deeper treatment of how encryption keys function as threat intelligence, see Malware Encryption Keys as Threat Intelligence.
Beyond encryption, extracted payloads frequently contain additional obfuscation layers. A decrypted payload might be Base64-encoded PowerShell that, when decoded, reveals a GZip-compressed stream containing obfuscated JavaScript with string concatenation and character code arithmetic. The steganographic image was just the outermost container. The full analysis chain runs: image analysis, extraction, decryption, deobfuscation (often through multiple iterations), and finally IOC generation from the recovered plaintext.
A steganographic detector alone is insufficient for threat analysis. The full chain requires: carrier identification, extraction using the correct technique, decryption (often requiring key recovery from the same file or related infrastructure), multi-layer deobfuscation of the decrypted payload, and IOC extraction from the final plaintext. Stopping at any intermediate step produces incomplete intelligence.
Extraction techniques compared
| Technique | Malware Family | Image Format | Encryption Layer | Detection Difficulty |
|---|---|---|---|---|
| Appended data | XWorm StegoCampaign, GhostPoster | JPEG, PNG, GIF | AES-ECB (XWorm), XOR + Base64 (GhostPoster) | Low |
| LSB pixel encoding | OceanLotus, Worok, Witchetty | PNG, BMP | AES-128 + XOR (OceanLotus), XOR (Witchetty) | High (when encrypted) |
| Chunk/metadata injection | PHP webshells, SteamHide | JPEG, PNG | Custom encryption (SteamHide), none (PHP) | Low-Medium |
| IDAT stream injection | IcedID, GHOSTPULSE v1 | PNG | RC4 (IcedID), XOR + LZNT1 (GHOSTPULSE) | Medium |
| Offset-marker extraction | Turla LightNeuron, EdgeSpot PDF | AES-256 (Turla), none (EdgeSpot) | Medium-High |
Several patterns emerge from this comparison. First, PNG is the dominant carrier format, appearing in four of five categories. Its lossless compression preserves embedded data exactly, and its chunk-based structure provides multiple hiding locations. Second, encryption is the norm rather than the exception. Only the simplest techniques (basic appended data, PHP EXIF injection) sometimes ship without an encryption layer. Third, detection difficulty correlates more strongly with the presence of encryption than with the complexity of the embedding method. LSB encoding is well-understood and has mature detection tools, but those tools fail when the embedded data is encrypted first.
What extraction code reveals to defenders
Analysing the extraction logic in a malware sample provides intelligence beyond just recovering the payload. The choice of technique fingerprints the threat actor. IcedID's RC4-over-IDAT pattern is distinctive. OceanLotus's bespoke LSB with AES-128 is attributable. GhostPoster's delimiter-plus-character-swap chain is recognisable across campaign variants. When a new sample uses a known extraction pattern, attribution narrows immediately.
The extraction code also reveals the detection opportunities. Appended data techniques are vulnerable to file size comparison. IDAT injection produces entropy anomalies. Metadata injection is catchable with field-level content inspection. Offset-marker techniques leave structural anomalies in the carrier document. Each extraction method implies a corresponding detection method, and defenders who understand the extraction logic can write targeted YARA rules, configure format-aware scanning, or instrument monitoring for the specific file access patterns each technique requires.
Finally, the extraction code dictates the post-extraction workflow. If the extraction routine includes an RC4 decryption step with a key read from the same file, the defender knows to look for the key in the carrier. If the routine applies XOR followed by decompression, the defender knows the decryption order. If the routine passes output to eval or Invoke-Expression, the defender knows the decrypted payload is executable code that likely requires further deobfuscation. The extraction code is, in effect, a recipe for reversing the entire concealment chain. For the broader taxonomy of stegomalware types and the decade of campaigns that shaped current technique adoption, see What is Stegomalware?. When the carrier is a PDF document rather than a standalone image, additional analysis layers come into play, as described in Analysing Steganographic Document Attacks.
KlaroSkope detects steganographic payloads across all five extraction methods and feeds extracted content directly into its deobfuscation engine. No manual tool-chaining required. Test Against a Real Sample →
Frequently Asked Questions
What is the most common steganographic technique used by malware?
Can steganographic malware hide its own decryption key in the same image?
How do APT groups make steganography harder to detect?
What is the difference between steganography and obfuscation?
Which image formats support steganographic embedding?
Continue Learning
Ready to decode?
See KlaroSkope transform obfuscated scripts into actionable intelligence.
Try It Free