Fundamentals09-Mar-26|11 min read

What Is a Format Boundary Attack?

Why malware's most dangerous evasion happens between file formats, not within them

Definition:

A format boundary attack is a malware delivery technique that exploits the gaps between file format parsers. Instead of evading a single detection engine, the attack forces analysis to cross from one parser to another - email to Office document, document to embedded image, image to extracted script - with each transition creating a blind spot that most security tools cannot follow.

Every security tool has a parser. Your email gateway parses MIME. Your sandbox detonates executables. Your EDR watches process behaviour. Each parser is competent within its domain. The problem is the handoff. When a phishing email contains a Word document that embeds a PNG image that hides a PowerShell script, the payload crosses four format boundaries. Most security architectures treat each boundary as someone else's problem. Attackers have learned to exploit that assumption with devastating efficiency.

The Parser Handoff Problem

Modern security infrastructure is built around format specialisation. Email security gateways excel at MIME parsing, header analysis, and attachment extraction. Sandbox environments detonate executables and observe runtime behaviour. Static analysis engines parse scripts for known-malicious patterns. Each tool operates within a defined format scope.

This specialisation creates what Elastic Security Labs documented in their 2024 GHOSTPULSE analysis: a structural gap at every format transition. When GHOSTPULSE embeds encrypted payload data within PNG IDAT chunks, the email gateway sees a clean attachment, the image scanner sees a valid PNG, and the script analyser never receives anything to scan. The malicious content exists between parsers, visible to none of them individually.

Format boundary attacks do not require sophisticated per-layer obfuscation. The evasion comes from the transitions themselves. A chain of four format boundaries using only Base64 and single-byte XOR at each layer will evade more tools than a single-format payload wrapped in 15 layers of advanced encoding. Depth of format transitions matters more than complexity of individual layers.

Taxonomy of Format Boundaries

Not all format boundaries carry equal risk. The table below maps the most commonly exploited transitions in real-world campaigns, ordered by prevalence in 2025-2026 threat telemetry.

Key Examples
Email to Office
From.eml / .msg
To.doc / .xlsx / .pptx
Campaign ExampleTA558 SteganoAmor (2024)
Detection GapEmail gateway extracts attachment but does not parse macro content
Office to Image
From.doc / .xlsx
To.png / .jpg / .bmp
Campaign ExampleXWorm (2025), AgentTesla
Detection GapOffice analyser flags macros but ignores embedded image payloads
Image to Script
From.png / .bmp / .gif
To.ps1 / .js / .vbs
Campaign ExampleGHOSTPULSE v2, Caminho Loader
Detection GapImage scanner validates format integrity, not hidden data
PDF to JavaScript
From.pdf
ToJS stream
Campaign ExampleVarious PDF droppers (2024-2025)
Detection GapPDF scanner checks structure, JS engine not invoked on embedded streams
Archive to Anything
From.zip / .rar / .7z
ToMixed contents
Campaign ExampleGCleaner/PrivateLoader (2024-2025)
Detection GapArchive scanner checks file listing, not recursive content analysis

The Inverse Depth-Sophistication Relationship

One pattern that emerges from analysing multi-format campaigns is this: the more format boundaries a chain crosses, the simpler each individual layer tends to be.

XWorm's 2025 campaigns cross four format boundaries (email, Office document, steganographic image, PowerShell script) but use only Base64 encoding and single-byte XOR at each transition. AgentTesla variants follow the same pattern. The sophistication budget is spent on the chain architecture, not on per-layer encoding strength.

This makes sense from an operational perspective. Each format boundary adds complexity to the delivery infrastructure. Adding a steganographic embedding step requires image generation tooling, payload alignment, and quality assurance that the carrier image renders correctly. Investing further in advanced obfuscation at each layer produces diminishing returns when the format transition alone defeats most scanners.

This inverse relationship means that per-layer obfuscation strength is a poor indicator of campaign sophistication. A chain with four format boundaries and Base64 at each layer is operationally more advanced than a single-format script with 12 layers of XOR and string manipulation.

Eight Campaigns That Exploit Format Boundaries

The following campaigns represent the current state of multi-format delivery. Each exploits at least two format boundaries, with the most advanced chains crossing four or five.

Key Examples
TA558 SteganoAmor
Format ChainEmail > Excel/Word (CVE-2017-11882) > VBS download > JPG stego > payload
Boundaries3
Per-Layer ComplexityBase64
Active Period2024-present
XWorm
Format ChainEmail > DOCX > PNG stego > PowerShell
Boundaries3
Per-Layer ComplexityBase64 + XOR (single byte)
Active Period2024-present
AsyncRAT
Format ChainEmail > ISO/IMG > LNK > PowerShell > stego PNG
Boundaries4
Per-Layer ComplexityBase64 + AES-CBC
Active Period2023-present
PhantomVAI
Format ChainEmail > DOCX > macro > GIF (custom markers) > .NET loader
Boundaries4
Per-Layer ComplexityCustom delimiter + Base64
Active Period2025-present
GHOSTPULSE v1
Format ChainEmail > MSIX > PE > PNG IDAT chunks
Boundaries3
Per-Layer ComplexityXOR with marker-based chunk extraction
Active Period2023-2024
GHOSTPULSE v2
Format ChainClickFix fake CAPTCHA > clipboard PowerShell > PNG pixel data
Boundaries2
Per-Layer ComplexityPixel-value extraction + XOR
Active Period2024-present
AgentTesla
Format ChainEmail > RTF/XLSX > OLE object > stego BMP
Boundaries3
Per-Layer ComplexityBase64 + GZip
Active Period2022-present
Caminho Loader
Format ChainPhishing > Archive > JS/VBS > PowerShell > LSB stego image
Boundaries4
Per-Layer ComplexityBase64 + LSB extraction
Active Period2024-present

The trend is clear. XWorm detections surged throughout 2025, with ANY.RUN's malware trends data ranking it among the most prevalent threats globally. Nearly all observed variants used multi-format delivery chains rather than single-format obfuscation. The delivery infrastructure is evolving faster than per-sample encoding techniques.

Why Sandbox Detonation Misses Format Boundaries

Dynamic analysis environments execute the final payload and monitor system behaviour. This is excellent for identifying what malware does once active. It is fundamentally limited for understanding how it arrived.

Format boundary transitions happen in the loader code, not in the final payload. When TA558's SteganoAmor chain extracts Base64 data from a JPG image and reconstructs it into a payload, that reconstruction logic runs in a script context that may not trigger sandbox detonation at all. The sandbox sees either a clean Office document (if macro execution is blocked) or the final payload (if execution succeeds), but never the format boundary crossing itself.

Multi-format delivery chains consistently outperform single-format samples in sandbox evasion. The evasion advantage comes not from sophisticated anti-analysis techniques but from the structural limitations of detonation-based analysis. Each additional format boundary adds a parsing handoff that sandbox instrumentation typically does not follow.

Static Analysis at the Boundary

Recursive Container AnalysisThe alternative to detonation is recursive container analysis: parsing each format layer statically, extracting embedded content, and dispatching it to the appropriate next-stage parser. An email yields an Office document, the document yields an embedded image, the image yields extracted bytes, and those bytes enter the deobfuscation pipeline. This approach traces format transitions without execution, preserving the full chain for analyst review. Tools like KlaroSkope implement this as a single automated pipeline, following the format chain from initial container to final payload regardless of how many boundaries are crossed. The key engineering challenge is parser coverage. Each format boundary requires a dedicated parser that understands the embedding conventions of that specific format pair. An Office-to-image boundary requires OLE2/OOXML parsing with embedded object extraction. An image-to-script boundary requires steganographic extraction across multiple techniques (LSB, appended data, chunk-based, pixel-value). Missing any single parser breaks the chain.

The Industrialisation of Format Chains

Format boundary attacks are no longer bespoke operations. Positive Technologies' 2024 analysis of TA558's SteganoAmor campaign documents a group that delivers multiple malware families (AgentTesla, FormBook, Remcos, XWorm) through a consistent email-to-Office-to-image-to-script infrastructure, suggesting modular delivery tooling. Unit 42's analysis of PhantomVAI reveals a similar pattern: a Malware-as-a-Service platform where the multi-format delivery chain is the product being sold.

This industrialisation means format boundary attacks are no longer limited to advanced threat actors. Commodity RAT operators can purchase delivery infrastructure that crosses three or four format boundaries without understanding the underlying techniques. The barrier to entry has collapsed while the detection challenge remains.

Implications for Detection Engineering

Traditional detection rules operate within a single format domain. A YARA rule matches byte patterns in a file. A Sigma rule correlates log events. Neither is designed to span format boundaries.

Detecting format boundary attacks requires container-aware correlation: the ability to track content identity across format transitions. When a Base64 string extracted from a PNG steganographic payload matches a known C2 URL pattern, the detection must trace that match back through the image, the Office document, and the email to produce actionable context. MITRE ATT&CK captures part of this under T1027.009 (Embedded Payloads) and T1566.001 (Spearphishing Attachment), but the framework does not yet model the transitions themselves as distinct detection opportunities.

Try it now --> klaroskope.com/submit - upload an email, an Office document, or an archive and see KlaroSkope follow every format transition automatically: container to embedded image to extracted script to decoded payload. Each boundary is reported as its own analysis layer with provenance, so the IOCs you extract carry the full chain of where they came from.

Frequently Asked Questions

Q

What is a format boundary attack?

A format boundary attack is a malware delivery technique that exploits the gaps between file format parsers. By chaining content across multiple file formats (email to Office document to image to script), the attack ensures that no single parser sees the complete malicious payload. Each format transition creates a detection blind spot.
Q

How many format boundaries do real campaigns use?

Most active campaigns in 2025-2026 use 2 to 4 format boundaries. TA558 SteganoAmor uses 3 (email to Office document to JPG image to payload). AsyncRAT variants use up to 4 (email to ISO to LNK to PowerShell to steganographic PNG). More boundaries increase evasion but add operational complexity.
Q

Can sandboxes detect format boundary attacks?

Sandboxes detect the final payload's behaviour but typically miss the format transitions in the delivery chain. The loader code that crosses format boundaries (extracting data from an image, parsing an embedded object from a document) executes in contexts that may not trigger sandbox analysis. Multi-format chains consistently outperform single-format samples in sandbox evasion.
Q

What is the difference between multi-layer and multi-format obfuscation?

Multi-layer obfuscation applies multiple encoding techniques within a single file format (Base64 inside XOR inside GZip, all within one PowerShell script). Multi-format obfuscation crosses file format boundaries (email contains document contains image contains script). Multi-format attacks exploit parser handoff gaps that multi-layer attacks within a single format cannot.
Q

Which malware families use format boundary attacks?

XWorm, AsyncRAT, AgentTesla, GHOSTPULSE, PhantomVAI, TA558's SteganoAmor, and Caminho Loader all use multi-format delivery chains. KlaroSkope's engine processes these email-to-Office-to-image-to-script chains in a single pass through recursive container analysis, following each format transition automatically.

Found this useful? Sharing is caring!

Ready to decode?

See KlaroSkope transform obfuscated scripts into actionable intelligence.

Try It Free