HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Threat Actors Deploy Steganographic Images on Public Hosting Sites to Deliver Malware, Evading EDR

Threat actors embed malicious payloads in benign‑looking PNG/JPEG images hosted on public file‑sharing platforms, bypassing traditional security controls and delivering RATs that often evade EDR. This technique expands the attack surface of any third‑party image‑hosting service used by enterprises.

LiveThreat™ Intelligence · 📅 May 21, 2026· 📰 cofense.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
cofense.com

Threat Actors Deploy Steganographic Images on Public Hosting Sites to Deliver Malware, Evading EDR

What Happened — Threat actors are embedding malicious payloads inside benign‑looking PNG/JPEG images hosted on public file‑sharing and archive sites. The steganographic files bypass traditional email and web filters, and when retrieved the hidden code is decoded and executed, delivering Remote Access Trojans (e.g., Remcos) and other malware that often evades Endpoint Detection and Response (EDR) tools.

Why It Matters for TPRM

  • Vendors that provide image‑hosting, file‑sharing, or content‑delivery services can become inadvertent infection vectors for your organization.
  • Sophisticated delivery methods reduce the effectiveness of standard anti‑malware controls, increasing the risk of undetected compromise across multiple third‑party relationships.
  • The use of personalized phishing subjects and legitimate‑looking assets raises the likelihood of successful social‑engineering attacks against your supply chain.

Who Is Affected — All industries that rely on third‑party image‑hosting or file‑sharing services, especially technology/SaaS providers, cloud‑hosting platforms, and enterprises with extensive remote workforces.

Recommended Actions

  • Review contracts and security questionnaires for any vendors that operate public image or file‑hosting services.
  • Verify that vendors employ content‑scanning, steganography detection, and strict file‑type validation.
  • Augment internal EDR with behavioral analytics capable of detecting in‑memory execution and DLL loading patterns associated with steganographic payloads.

Technical Notes

  • Delivery vector: steganography embedded in PNG/JPEG files hosted on sites such as archive.org (23% of observed samples).
  • Payloads: Remcos RAT (27% of campaigns), custom .NET loader DLLs for privilege escalation, and other information‑stealing malware.
  • Evasion: Malware is obfuscated, encoded, and executed in memory, thwarting signature‑based detection.

Source: Cofense Intelligence – Steganography Secrets: Malware Hidden in Plain Sight

📰 Original Source
https://cofense.com/blog/steganography-secrets-malware-hidden-in-plain-sight

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →