A format boundary attack is a malware delivery technique that exploits the gaps between file format parsers. Instead of evading a single detection engine, the attack forces analysis to cross from one parser to another - email to Office document, document to embedded image, image to extracted script - with each transition creating a blind spot that most security tools cannot follow.
Every security tool has a parser. Your email gateway parses MIME. Your sandbox detonates executables. Your EDR watches process behaviour. Each parser is competent within its domain. The problem is the handoff. When a phishing email contains a Word document that embeds a PNG image that hides a PowerShell script, the payload crosses four format boundaries. Most security architectures treat each boundary as someone else's problem. Attackers have learned to exploit that assumption with devastating efficiency.
The Parser Handoff Problem
Modern security infrastructure is built around format specialisation. Email security gateways excel at MIME parsing, header analysis, and attachment extraction. Sandbox environments detonate executables and observe runtime behaviour. Static analysis engines parse scripts for known-malicious patterns. Each tool operates within a defined format scope.
This specialisation creates what Elastic Security Labs documented in their 2024 GHOSTPULSE analysis: a structural gap at every format transition. When GHOSTPULSE embeds encrypted payload data within PNG IDAT chunks, the email gateway sees a clean attachment, the image scanner sees a valid PNG, and the script analyser never receives anything to scan. The malicious content exists between parsers, visible to none of them individually.
Format boundary attacks do not require sophisticated per-layer obfuscation. The evasion comes from the transitions themselves. A chain of four format boundaries using only Base64 and single-byte XOR at each layer will evade more tools than a single-format payload wrapped in 15 layers of advanced encoding. Depth of format transitions matters more than complexity of individual layers.
Taxonomy of Format Boundaries
Not all format boundaries carry equal risk. The table below maps the most commonly exploited transitions in real-world campaigns, ordered by prevalence in 2025-2026 threat telemetry.
| Boundary | From | To | Campaign Example | Detection Gap |
|---|---|---|---|---|
| Email to Office | .eml / .msg | .doc / .xlsx / .pptx | TA558 SteganoAmor (2024) | Email gateway extracts attachment but does not parse macro content |
| Office to Image | .doc / .xlsx | .png / .jpg / .bmp | XWorm (2025), AgentTesla | Office analyser flags macros but ignores embedded image payloads |
| Image to Script | .png / .bmp / .gif | .ps1 / .js / .vbs | GHOSTPULSE v2, Caminho Loader | Image scanner validates format integrity, not hidden data |
| PDF to JavaScript | JS stream | Various PDF droppers (2024-2025) | PDF scanner checks structure, JS engine not invoked on embedded streams | |
| Archive to Anything | .zip / .rar / .7z | Mixed contents | GCleaner/PrivateLoader (2024-2025) | Archive scanner checks file listing, not recursive content analysis |
The Inverse Depth-Sophistication Relationship
One pattern that emerges from analysing multi-format campaigns is this: the more format boundaries a chain crosses, the simpler each individual layer tends to be.
XWorm's 2025 campaigns cross four format boundaries (email, Office document, steganographic image, PowerShell script) but use only Base64 encoding and single-byte XOR at each transition. AgentTesla variants follow the same pattern. The sophistication budget is spent on the chain architecture, not on per-layer encoding strength.
This makes sense from an operational perspective. Each format boundary adds complexity to the delivery infrastructure. Adding a steganographic embedding step requires image generation tooling, payload alignment, and quality assurance that the carrier image renders correctly. Investing further in advanced obfuscation at each layer produces diminishing returns when the format transition alone defeats most scanners.
This inverse relationship means that per-layer obfuscation strength is a poor indicator of campaign sophistication. A chain with four format boundaries and Base64 at each layer is operationally more advanced than a single-format script with 12 layers of XOR and string manipulation.
Eight Campaigns That Exploit Format Boundaries
The following campaigns represent the current state of multi-format delivery. Each exploits at least two format boundaries, with the most advanced chains crossing four or five.
| Campaign | Format Chain | Boundaries | Per-Layer Complexity | Active Period |
|---|---|---|---|---|
| TA558 SteganoAmor | Email > Excel/Word (CVE-2017-11882) > VBS download > JPG stego > payload | 3 | Base64 | 2024-present |
| XWorm | Email > DOCX > PNG stego > PowerShell | 3 | Base64 + XOR (single byte) | 2024-present |
| AsyncRAT | Email > ISO/IMG > LNK > PowerShell > stego PNG | 4 | Base64 + AES-CBC | 2023-present |
| PhantomVAI | Email > DOCX > macro > GIF (custom markers) > .NET loader | 4 | Custom delimiter + Base64 | 2025-present |
| GHOSTPULSE v1 | Email > MSIX > PE > PNG IDAT chunks | 3 | XOR with marker-based chunk extraction | 2023-2024 |
| GHOSTPULSE v2 | ClickFix fake CAPTCHA > clipboard PowerShell > PNG pixel data | 2 | Pixel-value extraction + XOR | 2024-present |
| AgentTesla | Email > RTF/XLSX > OLE object > stego BMP | 3 | Base64 + GZip | 2022-present |
| Caminho Loader | Phishing > Archive > JS/VBS > PowerShell > LSB stego image | 4 | Base64 + LSB extraction | 2024-present |
The trend is clear. XWorm detections surged throughout 2025, with ANY.RUN's malware trends data ranking it among the most prevalent threats globally. Nearly all observed variants used multi-format delivery chains rather than single-format obfuscation. The delivery infrastructure is evolving faster than per-sample encoding techniques.
Why Sandbox Detonation Misses Format Boundaries
Dynamic analysis environments execute the final payload and monitor system behaviour. This is excellent for identifying what malware does once active. It is fundamentally limited for understanding how it arrived.
Format boundary transitions happen in the loader code, not in the final payload. When TA558's SteganoAmor chain extracts Base64 data from a JPG image and reconstructs it into a payload, that reconstruction logic runs in a script context that may not trigger sandbox detonation at all. The sandbox sees either a clean Office document (if macro execution is blocked) or the final payload (if execution succeeds), but never the format boundary crossing itself.
Multi-format delivery chains consistently outperform single-format samples in sandbox evasion. The evasion advantage comes not from sophisticated anti-analysis techniques but from the structural limitations of detonation-based analysis. Each additional format boundary adds a parsing handoff that sandbox instrumentation typically does not follow.
Static Analysis at the Boundary
The Industrialisation of Format Chains
Format boundary attacks are no longer bespoke operations. Positive Technologies' 2024 analysis of TA558's SteganoAmor campaign documents a group that delivers multiple malware families (AgentTesla, FormBook, Remcos, XWorm) through a consistent email-to-Office-to-image-to-script infrastructure, suggesting modular delivery tooling. Unit 42's analysis of PhantomVAI reveals a similar pattern: a Malware-as-a-Service platform where the multi-format delivery chain is the product being sold.
This industrialisation means format boundary attacks are no longer limited to advanced threat actors. Commodity RAT operators can purchase delivery infrastructure that crosses three or four format boundaries without understanding the underlying techniques. The barrier to entry has collapsed while the detection challenge remains.
Implications for Detection Engineering
Traditional detection rules operate within a single format domain. A YARA rule matches byte patterns in a file. A Sigma rule correlates log events. Neither is designed to span format boundaries.
Detecting format boundary attacks requires container-aware correlation: the ability to track content identity across format transitions. When a Base64 string extracted from a PNG steganographic payload matches a known C2 URL pattern, the detection must trace that match back through the image, the Office document, and the email to produce actionable context. MITRE ATT&CK captures part of this under T1027.009 (Embedded Payloads) and T1566.001 (Spearphishing Attachment), but the framework does not yet model the transitions themselves as distinct detection opportunities.
Try it now --> klaroskope.com/submit - upload an email, an Office document, or an archive and see KlaroSkope follow every format transition automatically: container to embedded image to extracted script to decoded payload. Each boundary is reported as its own analysis layer with provenance, so the IOCs you extract carry the full chain of where they came from.
Frequently Asked Questions
What is a format boundary attack?
How many format boundaries do real campaigns use?
Can sandboxes detect format boundary attacks?
What is the difference between multi-layer and multi-format obfuscation?
Which malware families use format boundary attacks?
Continue Learning
Ready to decode?
See KlaroSkope transform obfuscated scripts into actionable intelligence.
Try It Free