Stegomalware is malware that uses steganography to conceal malicious code, configuration data, or command-and-control instructions within ordinary digital media such as images, audio files, or documents. Unlike traditional malware where the payload resides inside an executable, stegomalware separates the payload from the carrier, making it invisible to security tools that examine only executable content.
In January 2019, the exploit analysis firm EdgeSpot published a finding that quietly demonstrated how far stegomalware had come. A PDF containing a steganographic exploit had been sitting in VirusTotal since October 2017. After more than a year of exposure to every major antivirus engine on the market, exactly one out of fifty-seven engines flagged it. The other fifty-six saw a normal PDF. That detection gap is not an anomaly. It is a structural consequence of how stegomalware works. The malicious payload does not exist in a form that security tools are built to recognise. It is woven into pixel values, appended after file terminators, or encoded in metadata fields. The file passes every format check, renders normally in every viewer, and carries nothing that matches a signature database. Defenders cannot signature-match what is not there.
Why stegomalware is fundamentally different
Conventional malware, however heavily obfuscated, still places its payload inside the file that gets executed. A packed executable contains compressed code. An obfuscated script contains encoded strings. The payload is present in the artefact a defender analyses. Obfuscation raises the cost of analysis but does not change where the malicious content lives.
Stegomalware breaks this assumption. The payload is not in the executable. It is in a separate, benign-looking file that security tools have no reason to flag. A PNG image. A JPEG photograph. A WAV audio clip. A PDF document. The executable contains only the extraction logic: instructions for reading the cover file, locating the hidden data, decoding it, and passing it to memory for execution. The extraction logic itself is often generic enough to appear legitimate.
This separation creates a compounding detection problem. Analysing the loader in isolation reveals extraction code but no payload. Analysing the image in isolation reveals a valid image file. Neither artefact, examined alone, appears malicious. The threat only materialises when the two are combined at runtime, in memory, with no intermediate file written to disk. For defenders relying on static analysis, file reputation, or signature matching, the attack surface is effectively invisible.
Three types of stegomalware
Academic research, notably the systematic survey by Chaganti et al. (2021), introduced a classification system that distinguishes stegomalware by how tightly the cover medium and extraction algorithm are coupled to the malware itself. This taxonomy matters because each type presents different detection challenges and different opportunities for defenders.
The Type 0/I/II classification reflects an academic taxonomy for stegomalware, notably discussed in surveys such as Chaganti, Ravi, Alazab, and Pham's 2021 paper "Stegomalware: A Systematic Survey of Malware Hiding and Detection in Images, Machine Learning Models and Research Challenges." Most online resources cover steganographic techniques (LSB, EOF, chunk hiding) without distinguishing how the components are distributed. Understanding the distribution model matters because it determines which artefacts a defender can realistically obtain for analysis.
Four roles in the kill chain
Most discussions of stegomalware focus on payload delivery: an image carries hidden code that gets extracted and executed. But steganography serves at least four distinct roles across the attack lifecycle. Recognising all four is essential for building detection that covers the full threat surface.
A decade of stegomalware campaigns
Stegomalware is not a recent phenomenon. The technique has been used in documented campaigns since at least 2015, and its adoption has accelerated as endpoint detection has improved. The table below traces a decade of significant campaigns, illustrating how stegomalware evolved from niche APT tooling to commodity malware infrastructure.
| Year | Campaign | Attribution | Cover Medium | Kill Chain Role |
|---|---|---|---|---|
| 2015 | Gatak/Stegoloader | Cybercrime | PNG (LSB pixel encoding) | Payload delivery |
| 2015 | TeslaCrypt | Cybercrime | HTML 404 pages | Command and control |
| 2016 | DNSChanger EK | Cybercrime | PNG (LSB, AES key) | Payload delivery |
| 2016 | Sundown EK | Cybercrime | PNG (exploit code) | Payload delivery |
| 2017 | ZeroT/PlugX | TA459 (China) | BMP (LSB encoding) | Payload delivery |
| 2018 | OceanLotus | APT32 (Vietnam) | PNG/JPEG (AES+XOR) | Payload delivery |
| 2019 | Turla LightNeuron | Turla (Russia) | PDF/JPG email attachments | Command and control |
| 2019 | EdgeSpot PDF exploit | Unknown | PDF (embedded image) | Payload delivery |
| 2022 | Worok | Espionage (unattributed) | PNG (LSB encoding) | Payload delivery |
| 2022 | Witchetty | Espionage (China-linked) | BMP (XOR, GitHub-hosted) | Persistence/updates |
| 2022 | Serpent | Unknown | PNG (Base64 in image) | Payload delivery |
| 2024 | Lumma Stealer | Cybercrime (MaaS) | PNG/image files | Payload delivery |
| 2025 | XWorm | Cybercrime | JPEG/PNG (Base64+AES) | Payload delivery |
| 2025 | Formbook | Cybercrime | PNG (encrypted payload) | Payload delivery |
Several patterns emerge from this timeline. First, stegomalware has shifted from state-sponsored exclusivity to commodity adoption. Gatak and ZeroT/PlugX were relatively sophisticated; XWorm and Lumma Stealer are mass-market tools available as malware-as-a-service. Second, PNG has become the dominant cover medium, favoured for its lossless compression (which preserves embedded data exactly) and flexible chunk structure. Third, the overwhelming majority of campaigns use steganography for payload delivery. C2 and exfiltration use cases remain concentrated among state-sponsored actors who prioritise long-term stealth over operational simplicity.
For detailed analysis of specific embedding techniques (EOF appending, LSB encoding, PNG chunk hiding, alpha channel manipulation) and how campaigns like GHOSTPULSE and GhostPoster implement them, see Steganography in Malware Delivery. For the attacker's perspective on extraction code and what it reveals to defenders, see How Malware Extracts Hidden Payloads from Images. When the carrier is a PDF rather than a standalone image, the detection challenge compounds further, as explored in Analysing Steganographic Document Attacks.
Why detection is fundamentally hard
Stegomalware creates a detection problem that is structurally different from other forms of obfuscation. With script obfuscation or packed executables, the malicious content is present in the artefact. Analysis tools can apply decoders, emulators, or sandboxes to recover the original payload. The content is hidden but not absent. With stegomalware, the artefact under inspection is genuinely benign. The PNG is a valid PNG. The JPEG is a valid JPEG. There is no malformed header, no suspicious import table, no anomalous entropy in the executable. The payload exists only in the statistical properties of pixel values or in bytes that standard parsers ignore.
Statistical steganalysis, which measures deviations from expected pixel distributions, works against naive LSB encoding. But it fails against encrypted payloads, which produce ciphertext indistinguishable from random noise. Modern stegomalware almost always encrypts before embedding. GHOSTPULSE uses CRC32-validated blocks. OceanLotus layers AES-128 with XOR. XWorm applies AES encryption to Base64-encoded DLLs. The encrypted payload produces no statistical anomaly because random data has the same distribution as the cover medium's noise floor.
For a practitioner's guide to detection approaches that work despite these challenges, including structural analysis, entropy profiling, and behavioural monitoring of extraction routines, see Steganography Detection Techniques.
In January 2019, EdgeSpot reported that a steganographic PDF exploit had been present on VirusTotal since October 2017, yet only a single antivirus engine out of fifty-seven detected it. After EdgeSpot published their analysis, detection rose to five out of fifty-seven. Over fifteen months of exposure to the entire AV industry had produced essentially zero detection. This is not a failure of any individual product. It is the natural outcome of scanning technology that was never designed to look inside pixel values or parse beyond file terminators.
Implications for defenders
The growing adoption of stegomalware by commodity threat actors means this is no longer a technique defenders can treat as exotic. When mass-market tools like XWorm and Lumma Stealer embed steganographic delivery as a standard feature, the volume of stegomalware in the wild increases by orders of magnitude compared to the APT-only era.
Defence requires acknowledging that image files, PDFs, and other media are potential payload carriers. Network security monitoring should flag unusual patterns in image retrieval: executables downloading images they never display, repeated fetches of the same image from ephemeral infrastructure, or image files whose size significantly exceeds what their dimensions require. Endpoint detection should monitor for processes that read image files and route the contents to memory allocation or execution functions rather than rendering APIs.
Most critically, analysis cannot stop at extraction. The hidden payload is almost never the final form. It is typically wrapped in multiple layers of obfuscation: XOR encryption revealing Base64, which decodes to compressed data, which decompresses to obfuscated script code. Each layer must be resolved in sequence before the actual malicious intent becomes visible. Manual analysis of these chains is where most investigations stall.
Stegomalware hides where scanners do not look. KlaroSkope extracts hidden payloads from images and deobfuscates them automatically, resolving multi-layer chains from steganographic extraction through to IOC report. Try it with a suspicious image
Frequently Asked Questions
What is the difference between steganography and encryption?
Is stegomalware common?
Can images carry full malware payloads?
Which file types can carry stegomalware?
How can organisations detect stegomalware?
What is the MITRE ATT&CK ID for steganography?
Continue Learning
Ready to decode?
See KlaroSkope transform obfuscated scripts into actionable intelligence.
Try It Free