Fundamentals25-Feb-26|10 min read

What is Stegomalware? Types and Detection

A taxonomy of malware that hides inside images, and the decade-long campaign history defenders need to understand

Definition:

Stegomalware is malware that uses steganography to conceal malicious code, configuration data, or command-and-control instructions within ordinary digital media such as images, audio files, or documents. Unlike traditional malware where the payload resides inside an executable, stegomalware separates the payload from the carrier, making it invisible to security tools that examine only executable content.

In January 2019, the exploit analysis firm EdgeSpot published a finding that quietly demonstrated how far stegomalware had come. A PDF containing a steganographic exploit had been sitting in VirusTotal since October 2017. After more than a year of exposure to every major antivirus engine on the market, exactly one out of fifty-seven engines flagged it. The other fifty-six saw a normal PDF. That detection gap is not an anomaly. It is a structural consequence of how stegomalware works. The malicious payload does not exist in a form that security tools are built to recognise. It is woven into pixel values, appended after file terminators, or encoded in metadata fields. The file passes every format check, renders normally in every viewer, and carries nothing that matches a signature database. Defenders cannot signature-match what is not there.

Why stegomalware is fundamentally different

Conventional malware, however heavily obfuscated, still places its payload inside the file that gets executed. A packed executable contains compressed code. An obfuscated script contains encoded strings. The payload is present in the artefact a defender analyses. Obfuscation raises the cost of analysis but does not change where the malicious content lives.

Stegomalware breaks this assumption. The payload is not in the executable. It is in a separate, benign-looking file that security tools have no reason to flag. A PNG image. A JPEG photograph. A WAV audio clip. A PDF document. The executable contains only the extraction logic: instructions for reading the cover file, locating the hidden data, decoding it, and passing it to memory for execution. The extraction logic itself is often generic enough to appear legitimate.

This separation creates a compounding detection problem. Analysing the loader in isolation reveals extraction code but no payload. Analysing the image in isolation reveals a valid image file. Neither artefact, examined alone, appears malicious. The threat only materialises when the two are combined at runtime, in memory, with no intermediate file written to disk. For defenders relying on static analysis, file reputation, or signature matching, the attack surface is effectively invisible.

Three types of stegomalware

Academic research, notably the systematic survey by Chaganti et al. (2021), introduced a classification system that distinguishes stegomalware by how tightly the cover medium and extraction algorithm are coupled to the malware itself. This taxonomy matters because each type presents different detection challenges and different opportunities for defenders.

Type 0: Self-containedIn Type 0 stegomalware, both the cover image and the extraction algorithm are bundled with the malware. The stego-object is either embedded in the binary or distributed alongside it. The malware does not need to contact external infrastructure to retrieve the payload after initial delivery. GHOSTPULSE exemplifies this pattern: once the loader is on disk, it reads its steganographic PNG locally without further network communication. The image, the extraction routine, and the decryption key all travel together as a package. The detection opportunity here is the presence of the stego-object itself. If defenders capture the complete distribution package, they can extract and analyse the hidden payload.
Type I: Remote retrievalType I stegomalware separates the stego-object from the malware. The loader contains the extraction algorithm but downloads the cover image from a remote server at runtime. The image might be hosted on a legitimate platform such as GitHub, Imgur, or a CDN. This is the most common pattern in the wild today. XWorm downloads JPEG images containing Base64-encoded DLLs from web repositories. Worok fetches PNG files from remote servers and extracts payloads using LSB encoding. The cover image can be rotated, replaced, or taken offline independently of the loader. Defenders who capture only the loader find extraction code but no payload to analyse.
Type II: Externally orchestratedType II stegomalware distributes neither the cover image nor the extraction algorithm with the malware. Both components are retrieved externally or provided through separate channels. This is the hardest variant to detect and attribute, because no single artefact contains enough information to reconstruct the attack. The extraction logic might arrive as a separate script, be injected via a living-off-the-land binary, or exist only in memory after being fetched from a command-and-control server. Type II is rarer in commodity malware but appears in state-sponsored operations where operational security demands strict compartmentalisation.

The Type 0/I/II classification reflects an academic taxonomy for stegomalware, notably discussed in surveys such as Chaganti, Ravi, Alazab, and Pham's 2021 paper "Stegomalware: A Systematic Survey of Malware Hiding and Detection in Images, Machine Learning Models and Research Challenges." Most online resources cover steganographic techniques (LSB, EOF, chunk hiding) without distinguishing how the components are distributed. Understanding the distribution model matters because it determines which artefacts a defender can realistically obtain for analysis.

Four roles in the kill chain

Most discussions of stegomalware focus on payload delivery: an image carries hidden code that gets extracted and executed. But steganography serves at least four distinct roles across the attack lifecycle. Recognising all four is essential for building detection that covers the full threat surface.

1. Payload deliveryThis is the most common role and the one most frequently documented. The stego-object carries the primary payload: a backdoor, an information stealer, a RAT, or ransomware components. XWorm hides DLL payloads in JPEG and PNG images downloaded at runtime. OceanLotus embeds AES-encrypted backdoors in images distributed via phishing. Formbook disguises its executable payload as a PNG file and decrypts it in memory. Worok uses LSB encoding in PNG files to deliver its DropBoxControl stealer. The payload never touches disk in executable form, bypassing file-based scanning entirely.
2. Command and controlSteganography can carry commands from operators to implants without generating suspicious network traffic. Turla's LightNeuron backdoor, documented by ESET in 2019, received commands embedded in PDF and JPG email attachments. Because LightNeuron sat at the mail transport layer of Microsoft Exchange servers, it intercepted these emails before they reached any mailbox, executed the steganographically hidden instructions, and silently discarded the messages. Defenders monitoring network traffic saw ordinary email attachments. TeslaCrypt used a different approach, hiding C2 commands inside HTML comment tags within HTTP 404 error pages.
3. Data exfiltrationThe same steganographic techniques that deliver payloads inward can move stolen data outward. Encoded into images, exfiltrated data blends with normal web traffic. Duqu, one of the earliest documented examples, encrypted data harvested from compromised systems and embedded it within image files before transmitting them to C2 infrastructure. Outbound image transfers to cloud hosting or social media platforms generate no alerts in environments where users routinely upload photographs. This channel is particularly difficult to monitor because blocking image uploads would disrupt legitimate business operations.
4. Persistence and updatesSteganographic images can serve as an update mechanism. An implant periodically checks a hosted image for new instructions or replacement payloads. If the image on a legitimate hosting platform is updated, the implant receives new capabilities without any change to its own code or network behaviour. Witchetty hosted its XOR-encrypted backdoor on GitHub, a platform with high reputation scores across security tools. Replacing the image on the repository would deliver an updated payload to every compromised system on its next check-in. This pattern makes takedown difficult because the hosting infrastructure is legitimate and shared with millions of benign users.

A decade of stegomalware campaigns

Stegomalware is not a recent phenomenon. The technique has been used in documented campaigns since at least 2015, and its adoption has accelerated as endpoint detection has improved. The table below traces a decade of significant campaigns, illustrating how stegomalware evolved from niche APT tooling to commodity malware infrastructure.

Key Examples
2015
CampaignGatak/Stegoloader
AttributionCybercrime
Cover MediumPNG (LSB pixel encoding)
Kill Chain RolePayload delivery
2015
CampaignTeslaCrypt
AttributionCybercrime
Cover MediumHTML 404 pages
Kill Chain RoleCommand and control
2016
CampaignDNSChanger EK
AttributionCybercrime
Cover MediumPNG (LSB, AES key)
Kill Chain RolePayload delivery
2016
CampaignSundown EK
AttributionCybercrime
Cover MediumPNG (exploit code)
Kill Chain RolePayload delivery
2017
CampaignZeroT/PlugX
AttributionTA459 (China)
Cover MediumBMP (LSB encoding)
Kill Chain RolePayload delivery
2018
CampaignOceanLotus
AttributionAPT32 (Vietnam)
Cover MediumPNG/JPEG (AES+XOR)
Kill Chain RolePayload delivery
2019
CampaignTurla LightNeuron
AttributionTurla (Russia)
Cover MediumPDF/JPG email attachments
Kill Chain RoleCommand and control
2019
CampaignEdgeSpot PDF exploit
AttributionUnknown
Cover MediumPDF (embedded image)
Kill Chain RolePayload delivery
2022
CampaignWorok
AttributionEspionage (unattributed)
Cover MediumPNG (LSB encoding)
Kill Chain RolePayload delivery
2022
CampaignWitchetty
AttributionEspionage (China-linked)
Cover MediumBMP (XOR, GitHub-hosted)
Kill Chain RolePersistence/updates
2022
CampaignSerpent
AttributionUnknown
Cover MediumPNG (Base64 in image)
Kill Chain RolePayload delivery
2024
CampaignLumma Stealer
AttributionCybercrime (MaaS)
Cover MediumPNG/image files
Kill Chain RolePayload delivery
2025
CampaignXWorm
AttributionCybercrime
Cover MediumJPEG/PNG (Base64+AES)
Kill Chain RolePayload delivery
2025
CampaignFormbook
AttributionCybercrime
Cover MediumPNG (encrypted payload)
Kill Chain RolePayload delivery

Several patterns emerge from this timeline. First, stegomalware has shifted from state-sponsored exclusivity to commodity adoption. Gatak and ZeroT/PlugX were relatively sophisticated; XWorm and Lumma Stealer are mass-market tools available as malware-as-a-service. Second, PNG has become the dominant cover medium, favoured for its lossless compression (which preserves embedded data exactly) and flexible chunk structure. Third, the overwhelming majority of campaigns use steganography for payload delivery. C2 and exfiltration use cases remain concentrated among state-sponsored actors who prioritise long-term stealth over operational simplicity.

For detailed analysis of specific embedding techniques (EOF appending, LSB encoding, PNG chunk hiding, alpha channel manipulation) and how campaigns like GHOSTPULSE and GhostPoster implement them, see Steganography in Malware Delivery. For the attacker's perspective on extraction code and what it reveals to defenders, see How Malware Extracts Hidden Payloads from Images. When the carrier is a PDF rather than a standalone image, the detection challenge compounds further, as explored in Analysing Steganographic Document Attacks.

Why detection is fundamentally hard

Stegomalware creates a detection problem that is structurally different from other forms of obfuscation. With script obfuscation or packed executables, the malicious content is present in the artefact. Analysis tools can apply decoders, emulators, or sandboxes to recover the original payload. The content is hidden but not absent. With stegomalware, the artefact under inspection is genuinely benign. The PNG is a valid PNG. The JPEG is a valid JPEG. There is no malformed header, no suspicious import table, no anomalous entropy in the executable. The payload exists only in the statistical properties of pixel values or in bytes that standard parsers ignore.

Statistical steganalysis, which measures deviations from expected pixel distributions, works against naive LSB encoding. But it fails against encrypted payloads, which produce ciphertext indistinguishable from random noise. Modern stegomalware almost always encrypts before embedding. GHOSTPULSE uses CRC32-validated blocks. OceanLotus layers AES-128 with XOR. XWorm applies AES encryption to Base64-encoded DLLs. The encrypted payload produces no statistical anomaly because random data has the same distribution as the cover medium's noise floor.

For a practitioner's guide to detection approaches that work despite these challenges, including structural analysis, entropy profiling, and behavioural monitoring of extraction routines, see Steganography Detection Techniques.

In January 2019, EdgeSpot reported that a steganographic PDF exploit had been present on VirusTotal since October 2017, yet only a single antivirus engine out of fifty-seven detected it. After EdgeSpot published their analysis, detection rose to five out of fifty-seven. Over fifteen months of exposure to the entire AV industry had produced essentially zero detection. This is not a failure of any individual product. It is the natural outcome of scanning technology that was never designed to look inside pixel values or parse beyond file terminators.

Implications for defenders

The growing adoption of stegomalware by commodity threat actors means this is no longer a technique defenders can treat as exotic. When mass-market tools like XWorm and Lumma Stealer embed steganographic delivery as a standard feature, the volume of stegomalware in the wild increases by orders of magnitude compared to the APT-only era.

Defence requires acknowledging that image files, PDFs, and other media are potential payload carriers. Network security monitoring should flag unusual patterns in image retrieval: executables downloading images they never display, repeated fetches of the same image from ephemeral infrastructure, or image files whose size significantly exceeds what their dimensions require. Endpoint detection should monitor for processes that read image files and route the contents to memory allocation or execution functions rather than rendering APIs.

Most critically, analysis cannot stop at extraction. The hidden payload is almost never the final form. It is typically wrapped in multiple layers of obfuscation: XOR encryption revealing Base64, which decodes to compressed data, which decompresses to obfuscated script code. Each layer must be resolved in sequence before the actual malicious intent becomes visible. Manual analysis of these chains is where most investigations stall.

Stegomalware hides where scanners do not look. KlaroSkope extracts hidden payloads from images and deobfuscates them automatically, resolving multi-layer chains from steganographic extraction through to IOC report. Try it with a suspicious image

Frequently Asked Questions

Q

What is the difference between steganography and encryption?

Encryption transforms data into an unreadable form that is obviously present. Anyone examining an encrypted file can see that it contains something, even if they cannot read it. Steganography hides data within legitimate-looking content so that its very existence is concealed. An image containing a steganographic payload displays normally in any viewer. Attackers frequently combine both techniques: encrypting the payload for confidentiality, then embedding the ciphertext steganographically for concealment.
Q

Is stegomalware common?

Yes, and its prevalence has grown steadily since 2015. What began as a technique confined to state-sponsored groups like Turla and OceanLotus has become standard in commodity malware. By 2024 and 2025, mass-market tools including XWorm, Lumma Stealer, and Formbook all ship with steganographic delivery as a built-in capability. Forcepoint's X-Labs Q3 2025 threat brief highlighted steganography as a recurring technique in the growing wave of obfuscated JavaScript-based malware campaigns.
Q

Can images carry full malware payloads?

Yes. A standard 1920x1080 PNG image in 24-bit colour contains approximately 6.2 million bytes of pixel data. Using single-bit LSB encoding across three colour channels, that single image can carry roughly 760 kilobytes of hidden data. At two bits per channel the capacity rises to approximately 1.5 megabytes, more than enough for a complete backdoor, RAT, or information stealer. In practice, most stegomalware payloads are tens to hundreds of kilobytes, well within what a typical photograph can conceal.
Q

Which file types can carry stegomalware?

Any digital media format with sufficient capacity can serve as a cover medium. In documented campaigns, attackers have used PNG, JPEG, BMP, GIF, WEBP, ICO, WAV audio, PDF documents, and video files. PNG is the most common choice due to its lossless compression and flexible chunk structure. The format choice often depends on what will appear natural in the delivery context: icon files for browser extensions, photographs for social media delivery, PDFs for email attachments.
Q

How can organisations detect stegomalware?

No single technique catches all stegomalware variants. Effective detection combines multiple approaches: structural analysis of image files for anomalous chunks or appended data, entropy measurement to identify encrypted hidden content, file size analysis relative to image dimensions, and behavioural monitoring for processes that read images and route content to execution rather than display. For a comprehensive practitioner's guide, see our article on steganography detection techniques.
Q

What is the MITRE ATT&CK ID for steganography?

Steganography is classified under MITRE ATT&CK as T1027.003, a sub-technique of Obfuscated Files or Information (T1027). When used for command-and-control communication, it also maps to T1001.002 (Data Obfuscation: Steganography). Both sub-techniques are documented in the MITRE ATT&CK Enterprise matrix with references to campaigns that have employed them in the wild.

Found this useful? Sharing is caring!

Ready to decode?

See KlaroSkope transform obfuscated scripts into actionable intelligence.

Try It Free