Steganography in malware delivery is the practice of concealing malicious code within ordinary-looking image files. Unlike encryption, which makes data unreadable, steganography makes data invisible. The image displays normally in any viewer while carrying embedded payloads that can be extracted and executed by malware at runtime. This technique has seen significant adoption in 2024-2026 as attackers seek delivery mechanisms that bypass modern security controls.
Modern endpoint security has become remarkably effective at catching traditional malware. Signature databases contain millions of known threats. Behavioural analysis monitors process activity in real time. Machine learning models flag anomalous patterns before execution completes. This success has created a paradox. As detection improves, attackers invest more heavily in evasion. The arms race has pushed malware development toward techniques that operate outside the visibility of conventional security tools.
Steganography represents one such technique. An image file containing hidden malware looks identical to a clean image. It shares the same file type, the same structure, and often the same visual content. Security scanners that examine file headers, parse known malware signatures, or analyse executable content find nothing to flag. The malicious payload exists, but it exists in a form these tools are not designed to see.
Why now?
Steganography is not new. Security researchers documented malware using hidden image payloads as early as 2011. But the technique remained relatively rare through the mid-2010s, used primarily by sophisticated threat actors who could justify the additional development complexity.
That changed around 2020. Several factors converged to make steganography attractive to a broader range of attackers.
Endpoint detection and response solutions became widespread. EDR promised visibility into process behaviour that signature-based antivirus could not provide. For attackers, this meant that traditional droppers and loaders faced scrutiny they had previously avoided. Hiding the payload outside the executable became more valuable when the executable itself was under constant observation.
Cloud infrastructure normalised image hosting. Malware that fetches payloads from external servers can be blocked by reputation systems or URL filtering. But images hosted on legitimate services like GitHub, Imgur, or content delivery networks blend into normal traffic. A loader fetching its payload from a PNG on a trusted domain raises fewer alerts than one connecting to a suspicious IP address.
Browser extensions emerged as a delivery vector. The GhostPoster campaign, documented in late 2025, demonstrated the technique at scale. Malicious extensions hid JavaScript payloads inside their own icon files. The extensions installed through official stores, displaying the icons normally while carrying embedded code that would execute days after installation.
The common thread across these drivers is trust exploitation. Steganography works because images are trusted file types. Legitimate hosting works because the platform is trusted. Extensions work because the store is trusted. Attackers aren't breaking defences. They're routing around them through channels defenders haven't instrumented.
How attackers conceal payloads
The techniques vary in sophistication, but they share a common principle: exploit the gap between what parsers require and what files can contain.
Alpha channel encoding (AdGholas formula):
character_code = (255 - alpha1) x 10 + (255 - alpha2) + 32
Example: alpha values 251, 255 → (255-251)x10 + (255-255) + 32 = 72 → 'H'
Two pixels encode one character. A 300x250 banner ad
carries ~37,000 characters of hidden JavaScript.Campaign case studies
The evolution of steganographic malware reveals increasing sophistication and scale.
IcedID (2020-present) began as a banking trojan in 2017 but adopted steganography around 2020. Its loaders fetch PNG images from attacker infrastructure, locate the encrypted payload within IDAT chunks using embedded markers, extract the data, and decrypt it using an RC4 key stored in the image itself. The resulting images appear grey and noisy because the pseudo-random encrypted data produces high-entropy pixel values. Security teams can identify suspected IcedID images by measuring Shannon entropy in the IDAT segment; values approaching 8.0 indicate likely encrypted content.
GHOSTPULSE (2023-present) demonstrates rapid technique evolution. The original version, documented by Elastic Security Labs in October 2023, searched PNG files for an "IDAT" string marker followed by a four-byte validation tag. Matching chunks were concatenated, XOR decrypted, and decompressed. By October 2024, GHOSTPULSE had shifted entirely to pixel-level encoding. The new version uses Windows graphics APIs to extract RGB values sequentially, then validates 16-byte blocks using CRC32 checksums embedded in the first four bytes of each block. Only blocks passing validation contain payload data. This approach eliminates the string markers that detection rules targeted in the original version.
GHOSTPULSE's evolution from v1 to v2 illustrates the arms race in steganographic malware. Version 1 relied on string markers that defenders could write YARA rules against. Version 2 eliminated those markers entirely, embedding payload data directly in pixel values validated by CRC32 checksums. The detection approach had to shift from signature matching to statistical analysis.
GhostPoster (2025-2026) applied steganography specifically to browser extensions. The campaign hid payloads after PNG IEND markers in extension icon files, using delimiter sequences to mark the start of hidden data. Firefox variants used triple equals signs; Chrome and Edge variants used four greater-than symbols. The payload was XOR encrypted using the extension's runtime identifier as the key, then Base64 encoded, then run through a character substitution cipher that swapped uppercase and lowercase letters and exchanged the digits 8 and 9. This layered encoding produced content that appeared random and defied simple pattern matching.
Witchetty (2022) took a different approach, hosting its steganographic images on GitHub. The group embedded an XOR-encrypted backdoor in a Windows logo bitmap, fetching it from a repository that appeared to contain legitimate graphics. This technique exploited the reputation of a trusted platform while placing the payload outside infrastructure the attackers directly controlled.
| Campaign | Period | Technique | Target Scale |
|---|---|---|---|
| AdGholas/Stegano | 2016 | Alpha channel difference encoding | Millions via malvertising |
| IcedID | 2020-present | IDAT chunk embedding, RC4 encryption | Banking sector globally |
| Witchetty | 2022 | XOR-encrypted bitmap on GitHub | Middle East governments |
| GHOSTPULSE v1 | 2023 | IDAT marker scanning, XOR, LZNT1 | Enterprise via malvertising |
| GHOSTPULSE v2 | 2024 | Pixel value encoding, CRC32 validation | Enterprise via SEO poisoning |
| GhostPoster | 2025-2026 | Appended EOF with delimiter markers | 840,000+ downloads (DarkSpectre umbrella: 8.8M) |
The operational advantages
Steganography offers attackers several benefits beyond simple evasion.
Payload separation reduces exposure. When the malicious code resides in an image rather than the loader, compromise of the loader does not immediately reveal the payload. Analysts who capture and reverse the loader find only extraction logic. They must also obtain the correct image, identify the embedding technique, and successfully extract the hidden data before they can analyse the actual malware.
Infrastructure flexibility improves. Images can be hosted on legitimate services, rotated between hosts, or embedded directly in documents and emails. A single loader can fetch different payloads from different images based on target characteristics. The same steganographic format can carry credential stealers, ransomware loaders, or remote access tools depending on the campaign's objectives.
Detection rules age quickly. Signature-based detection depends on identifying consistent patterns. Steganographic techniques can be varied almost arbitrarily: different embedding methods, different encoding schemes, different encryption keys. Each variation potentially requires new detection logic. Defenders must anticipate techniques rather than simply cataloguing known samples.
Detection approaches
Effective detection requires looking beyond what image parsers see.
File size analysis provides a starting point. An image file significantly larger than its dimensions require may contain appended data. A 100x100 pixel PNG at 24-bit colour depth needs roughly 30 kilobytes for image data plus overhead. A file of that size approaching one megabyte warrants examination.
Entropy measurement identifies encrypted or compressed hidden content. Clean images have structured entropy that varies by region: edges, textures, and gradients produce different distributions. Hidden encrypted payloads have entropy approaching the theoretical maximum of 8.0 bits per byte. Measuring entropy across IDAT chunks, appended data, or extracted LSB planes can flag anomalies.
Structural analysis parses the image format to identify non-standard elements. PNG files should not contain private chunks with high-entropy data. JPEG files should not have kilobytes of content after the EOI marker. EXIF metadata should not contain Base64-encoded strings or executable code patterns.
The defender's challenge
Steganography creates an asymmetric challenge. Attackers choose the embedding technique, the encoding scheme, and the encryption method. Defenders must detect all variations, ideally before the payload executes.
This asymmetry favours defence in depth. No single detection method catches all steganographic techniques. Effective security combines multiple approaches: file anomaly detection, entropy analysis, structural parsing, and behavioural monitoring of extraction attempts.
The extraction moment offers a detection opportunity. When malware extracts its hidden payload, it exhibits distinctive behaviour: fetching image resources and processing them as binary data rather than displaying them, scanning for specific byte patterns, and routing decoded output to execution functions. Monitoring for these patterns can catch steganographic attacks even when the image itself evades static analysis.
But the real challenge is what happens after extraction. The hidden payload is almost never the final form. It is typically obfuscated through multiple layers: XOR encryption revealing Base64, which decodes to compressed data, which decompresses to obfuscated JavaScript or PowerShell. Manually chaining tools for each layer is where most analysis stalls.
This is the problem KlaroSkope was built to solve. It handles the complete chain automatically: steganographic extraction, multi-layer deobfuscation (over 100 decoders, up to 25 layers deep), IOC extraction, MITRE ATT&CK mapping, and generates YARA rules, Sigma rules, and a full analysis report. The entire pipeline runs in under a minute on the free tier. No tool-chaining, no manual decoding, no context-switching between a dozen utilities.
Submit a suspicious file or paste obfuscated code and get the full analysis pipeline — steganography extraction through to IOC report — for free. Try KlaroSkope Free →
For specific extraction methods and tool recommendations, see Steganography Detection Techniques. For how steganography combines with browser extension abuse, see Analysing Malicious Browser Extensions.
Understanding specific techniques also enables targeted detection. Campaigns reuse methods. GHOSTPULSE v1's IDAT marker scanning produces detectable access patterns. GhostPoster's delimiter sequences can be flagged in JavaScript analysis. Knowledge of how particular families implement steganography translates directly into detection rules.
Frequently Asked Questions
Why are attackers increasingly using steganography to deliver malware?
What is the difference between steganography and encryption in malware?
Which image formats do attackers commonly use for steganographic payloads?
How do attackers extract hidden payloads at runtime?
Can steganographic malware be detected by antivirus software?
Continue Learning
Ready to decode?
See KlaroSkope transform obfuscated scripts into actionable intelligence.
Try It Free