New Steganographic Malware Attack via JPG File Delivers Multiple Password Stealing Malwares

A newly identified steganographic malware operation has emerged, using JPEG image files as a covert delivery mechanism for multiple password-stealing malware strains. Security researchers have discovered that this sophisticated attack leverages the practice of hiding malicious payloads within seemingly harmless image files, exploiting steganography—a technique historically used for concealing messages or content within digital artifacts. […] The post New Steganographic Malware Attack via JPG File Delivers Multiple Password Stealing Malwares appeared first on Cyber Security News.

Mar 17, 2025 - 14:45

New Steganographic Malware Attack via JPG File Delivers Multiple Password Stealing Malwares

A newly identified steganographic malware operation has emerged, using JPEG image files as a covert delivery mechanism for multiple password-stealing malware strains.

Security researchers have discovered that this sophisticated attack leverages the practice of hiding malicious payloads within seemingly harmless image files, exploiting steganography—a technique historically used for concealing messages or content within digital artifacts.

This method has enabled threat actors to evade traditional detection mechanisms and distribute malware efficiently across targeted systems.

SEQRITE security researchers have revealed that the attack begins when unsuspecting users download or view a compromised JPEG file on their system.

Typically disguised as legitimate content, the infected image file contains embedded malicious scripts and executables.

These payloads are extracted through automated processes when the image is processed by the victim’s device.

SEQRITE analysts noted that the malware embedded within the JPEG files primarily focuses on credential harvesting, targeting browsers, email clients, and FTP applications to extract sensitive user data.

What sets this attack apart is the complexity of its delivery mechanism.

The embedded malicious scripts are not directly visible within the header or metadata of the image file.

Instead, the core of the malware is hidden in pixel data fields that appear innocuous to standard image-processing libraries.

Once executed, these scripts initiate a chain of attack that downloads additional payloads, including customized password-stealing tools like Vidar, Raccoon, and Redline.

These tools specialize in collecting login information stored within application databases, exploiting vulnerabilities, and transmitting stolen data to command-and-control (C2) servers.

Technical Details: JPEG-Based Malware Unpacking

At the technical level, steganography enables the modification of pixel values in the JPEG image file to encode malicious data.

The extraction is achieved via custom decoders embedded in the malware’s loader script.

For instance, the attackers employ Python and C++ executables to read specific pixel clusters and reconstruct executable scripts from encoded byte streams.

Below is an example of a Python snippet used in decoding the payload:-

from PIL import Image

def extract_payload(image_file):
    img = Image.open(image_file)
    payload_data = []
    for pixel in img.getdata():
        if pixel[0] % 2 == 0:  # Sample encoding logic
            payload_data.append(pixel[0])
    return bytearray(payload_data)

image = "infected_image.jpg"
payload = extract_payload(image)

JPEG Encapsulation and Decoding Process (Source – SEQRITE)

In such an attack, the encoded JPEG file before and after the malicious payload is extracted, highlighting subtle pixel-level alterations.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post New Steganographic Malware Attack via JPG File Delivers Multiple Password Stealing Malwares appeared first on Cyber Security News.