Threat Actors Deploy Steganographic Images on Public Hosting Sites to Deliver Malware, Evading EDR
What Happened — Threat actors are embedding malicious payloads inside benign‑looking PNG/JPEG images hosted on public file‑sharing and archive sites. The steganographic files bypass traditional email and web filters, and when retrieved the hidden code is decoded and executed, delivering Remote Access Trojans (e.g., Remcos) and other malware that often evades Endpoint Detection and Response (EDR) tools.
Why It Matters for TPRM —
- Vendors that provide image‑hosting, file‑sharing, or content‑delivery services can become inadvertent infection vectors for your organization.
- Sophisticated delivery methods reduce the effectiveness of standard anti‑malware controls, increasing the risk of undetected compromise across multiple third‑party relationships.
- The use of personalized phishing subjects and legitimate‑looking assets raises the likelihood of successful social‑engineering attacks against your supply chain.
Who Is Affected — All industries that rely on third‑party image‑hosting or file‑sharing services, especially technology/SaaS providers, cloud‑hosting platforms, and enterprises with extensive remote workforces.
Recommended Actions —
- Review contracts and security questionnaires for any vendors that operate public image or file‑hosting services.
- Verify that vendors employ content‑scanning, steganography detection, and strict file‑type validation.
- Augment internal EDR with behavioral analytics capable of detecting in‑memory execution and DLL loading patterns associated with steganographic payloads.
Technical Notes —
- Delivery vector: steganography embedded in PNG/JPEG files hosted on sites such as archive.org (23% of observed samples).
- Payloads: Remcos RAT (27% of campaigns), custom .NET loader DLLs for privilege escalation, and other information‑stealing malware.
- Evasion: Malware is obfuscated, encoded, and executed in memory, thwarting signature‑based detection.
Source: Cofense Intelligence – Steganography Secrets: Malware Hidden in Plain Sight