Hidden in Plain Sight: Executables Buried Inside a JPEG and a 1KB ZIP

A 1,047-byte ZIP file. That is all it took. Inside: a JavaScript dropper disguised as a TurboTax installer. The script called PowerShell to fetch a remote binary from a known malware distribution domain, wrote it to disk under a fake .mp3 extension, and registered a daily scheduled task to keep it running. Alongside the ZIP, a seemingly ordinary JPEG image contained multiple Windows executables hidden at specific byte offsets, each with a distinct hash. Three evasion layers, one email, and a payload architecture designed to survive both scanning and reboots.

This malware delivery campaign targeted an employee at a North American automotive components manufacturer. The email used a TurboTax tax-preparation theme as the social engineering hook, complete with a professional-looking signature block claiming the sender held an "IT Security Analyst" title. The message arrived through Microsoft Exchange Online infrastructure and was initially quarantined by Microsoft's antispam engine, categorized as AMP (Advanced Malware Protection). It was subsequently released from quarantine into the recipient's inbox.

A 1,669-Byte Script That Does Everything

The ZIP archive (TurboTax-deluxe-setup-app-24-6-32-EXE.zip) contained a single file: TurboTax-deluxe-setup-app-24-6-32-EXE.js. At 1,669 bytes, it fits in a single terminal screen. But those bytes pack a complete attack chain.

The JavaScript constructs a batch file at runtime, then executes it. That batch file invokes PowerShell's Invoke-WebRequest cmdlet to download a file from hxxp://dr5[.]org/in.mp3 and save it to disk. The .mp3 extension is a deliberate misdirection. Network-level file type filters that inspect extensions rather than content let it through. The actual payload is a binary executable.

After the download, the script calls SCHTASKS /Create /SC DAILY /TN to register a Windows scheduled task that runs the downloaded payload once per day. This is T1053.005 (Scheduled Task/Job) in the MITRE ATT&CK framework. It survives reboots. It runs silently. And unless someone specifically audits scheduled tasks, it persists indefinitely.

The script also references hxxp://l77[.]org/downloading.php?dl=turbotax as an additional payload source. The domain l77[.]org is documented in third-party threat intelligence (Dr.Web) as active malware distribution infrastructure. Both payload URLs use HTTP, not HTTPS, which simplifies interception but also avoids certificate validation failures on restrictive networks.

Executables Inside a JPEG: Steganography in Practice

The second attachment, image001.jpg (105,014 bytes), looked like a standard image. It was not. Sandbox analysis identified multiple MZ signatures at different byte offsets within the file. MZ is the magic number that marks the start of a Windows Portable Executable. Three distinct binary blobs were extracted from the image, each with a unique SHA256 hash.

This is T1027.003 (Obfuscated Files or Information: Steganography). The technique works because JPEG parsers read the image data and stop. They do not examine bytes appended beyond the JPEG end-of-image marker. Antivirus scanners that validate the file as a "clean JPEG" based on its header and visible structure miss the embedded executables entirely.

The Verizon 2024 DBIR found that 24% of breaches involved malware, and the median time to click a phishing email was 21 seconds. When the payload is an image that renders normally in a preview pane, the window for user-side detection effectively closes.

See Your Risk: Calculate how many threats your SEG is missing

Why the Gateway Caught It and Then Let It Through

Microsoft Exchange Online Protection flagged this message. The X-Forefront-Antispam-Report header shows CAT:AMP, meaning Microsoft classified it as containing advanced malware. The message was quarantined. Then it was released.

The X-MS-Exchange-Generated-Message-Source: Antispam Quarantine Agent header confirms the release came from the quarantine system. No DKIM signature was present. DMARC returned none. The email passed through the gateway on internal routing trust alone.

This is the gap that Adaptive AI exists to close. A quarantine-and-release workflow depends on someone (or some policy) making the correct call every time. According to the Microsoft Digital Defense Report 2024, Microsoft processes over 78 trillion security signals daily. But a single incorrect quarantine release negates all upstream detection. Behavioral analysis that evaluates the attachment context, sender anomaly, and delivery chain catches what static quarantine decisions miss.

MITRE ATT&CK Mapping

What to Hunt for Tomorrow Morning

If this payload executed in your environment, the forensic artifacts are distinctive. Search for:

1. Scheduled tasks created by non-administrative users that reference downloaded files or unfamiliar paths. The SCHTASKS /Create /SC DAILY pattern with a /TN task name is the fingerprint.
2. PowerShell execution logs containing Invoke-WebRequest paired with -OutFile targeting unexpected directories. Enable PowerShell ScriptBlock Logging (CISA guidance) if you have not already.
3. DNS/proxy logs for l77[.]org and dr5[.]org. Any historical resolution to these domains warrants immediate host containment.
4. Image attachments over 50KB in quarantine queues. Run binary analysis (not just MIME-type validation) to detect embedded MZ signatures. The FBI IC3 2024 report documented $12.5 billion in cybercrime losses, with phishing remaining the top initial access vector.
5. Outbound HTTP requests (not HTTPS) to unfamiliar domains downloading files with misleading extensions (.mp3, .jpg, .png masking executables).

The combination of a sub-2KB dropper, living-off-the-land PowerShell execution, scheduled task persistence, and steganographic payload storage represents a mature attack toolkit. Each technique individually is well-documented. Stacked together in a single email with a tax-software social engineering wrapper, they create a delivery chain that most signature-based defenses evaluate as five separate, individually benign components rather than one coordinated intrusion attempt.

Indicators of Compromise