Cybersecurity Glossary

What is Steganography?

Written by IRONSCALES | May 28, 2026 12:00:00 PM

Steganography Explained

Steganography is the practice of concealing data within other data so the hidden content is invisible to anyone not specifically looking for it. NIST defines it as "the art, science, and practice of communicating in a way that hides the existence of the communication." The critical distinction from encryption: encryption makes data unreadable but visible, while steganography makes it invisible entirely.

In cybersecurity, attackers use steganography to hide malicious payloads inside ordinary-looking files (images, documents, audio) to bypass security tools that scan for known threat signatures. MITRE ATT&CK documents two techniques: T1027.003 (hiding payloads during delivery) and T1001.002 (hiding command-and-control traffic post-compromise).

How Steganography Works in Email Attacks

Three embedding techniques dominate modern campaigns:

  • Least Significant Bit (LSB) manipulation. Attackers modify the final bits of RGB pixel values in image files. These changes are invisible to the human eye but encode executable data that a decoder script extracts at runtime. Used by ZeroT, Vawtrak, and DNSChanger to conceal encryption keys and download URLs.
  • End-of-File (EOF) trailing data. Malicious data is appended after an image's End Of Image marker. Image viewers ignore everything past that boundary, but a dropper script reads and executes the trailing payload. This is the simplest technique but increases file size.
  • Base64-encoded payloads in image data. A JavaScript dropper or macro-enabled document downloads an image from a hosting service, then performs steganographic extraction of a Base64-encoded .NET loader DLL. The extracted payload begins with "MZ" (the Windows executable signature) and injects into legitimate processes for fileless persistence.

A typical email attack chain: phishing email delivers a document or script dropper. The dropper downloads an innocuous-looking image from a legitimate hosting service (archive.org, image boards). The image contains a hidden payload that the dropper extracts and executes, establishing a remote access trojan, keylogger, or infostealer.

Steganography in the Wild

TA558 / SteganoAmor (2024). This campaign targeted 320+ organizations across Latin America using phishing emails with Office documents exploiting CVE-2017-11882. The documents triggered downloads of images containing Base64-encoded payloads that delivered Agent Tesla, Remcos RAT, FormBook, and XWorm.

Emotet and IcedID. Both malware families have used steganographic techniques to conceal payloads within image files delivered as secondary stages after initial email compromise, often in combination with conversation hijacking techniques for delivery.

APT29 (Operation Ghost). The Russian state-sponsored group employed steganography across multiple Duke-family malware variants for both payload delivery and command-and-control communications, embedding commands in images posted to public websites.

Security researchers have found that approximately 73% of steganography campaigns use finance-themed phishing emails, with Remcos RAT, Agent Tesla, and XWorm as the most common payloads.

Detecting Steganographic Attacks

Steganography is designed to evade detection, which makes identification challenging:

  • Statistical analysis. Examine pixel value distributions for anomalies inconsistent with natural images. Chi-square analysis can identify LSB manipulation patterns.
  • File structure inspection. Check for data appended after EOF markers, validate MIME type consistency, and flag image files that are unusually large relative to their dimensions.
  • Behavioral monitoring. Watch for image file downloads followed by script execution, process injection, or registry modification. The payload extraction step creates a detectable behavioral signature even when the carrier file looks clean.
  • Content Disarm and Reconstruction (CDR). Strip and rebuild file content, removing any embedded data that falls outside the expected file format structure.

MITRE notes that steganography "cannot be easily mitigated with preventive controls since it is based on the abuse of system features." Defense must focus on behavioral detection of what happens after extraction rather than blocking the carrier files themselves.

Related Terms

Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
View full post