OilRig APT Hides C2 Config in Google Drive Images with Steganography
Key Takeaways The Iranian state-sponsored APT group OilRig (also known as APT34 or Helix Kitten) has been observed employing a sophisticated new attack chain. This campaign leverages steganography to...
Key Takeaways
- The Iranian state-sponsored APT group OilRig (also known as APT34 or Helix Kitten) has been observed employing a sophisticated new attack chain.
- This campaign leverages steganography to conceal command-and-control (C2) configurations within benign Google Drive images.
- The attack begins with phishing documents themed around Iranian social protests, leading to a multi-stage infection involving GitHub, Google Drive, and Telegram for covert communication and payload delivery.
- Targets include government agencies, financial institutions, energy companies, telecom providers, and chemical firms across the Middle East, the United States, Europe, and parts of Asia.
The notorious Iranian state-sponsored advanced persistent threat (APT) group, OilRig (also identified as APT34 and Helix Kitten), has unveiled a new, highly evasive attack methodology. Researchers have uncovered evidence of the group embedding encrypted command-and-control (C2) configurations within seemingly innocuous images hosted on Google Drive, utilizing a technique known as Least Significant Bit (LSB) steganography.
Table Of Content
This sophisticated approach allows the threat actors to hide critical malicious data within standard PNG image files, rendering detection by conventional security tools significantly more challenging.
OilRig’s Strategic Objectives and Evolving Tactics
Active since at least 2016, OilRig is widely recognized for its ties to Iranian intelligence services. The group’s operational history includes extensive cyberespionage campaigns targeting high-value entities across the Middle East, the United States, Europe, and parts of Asia. Primary targets consistently include government bodies, financial organizations, energy sector firms, telecommunications providers, and chemical industries. OilRig’s overarching mission remains the exfiltration of sensitive political, military, and geostrategic intelligence.
Analysts at the 360 Advanced Threat Research Institute recently discovered several attack samples attributed to OilRig during their routine APT threat hunting activities. These findings shed light on a significantly more advanced attack chain. This new methodology intricately combines social engineering via phishing emails, abuse of legitimate cloud services, image steganography, and in-memory execution to orchestrate a covert, multi-stage campaign.
The threat group crafted compelling phishing documents that exploited the sensitive topic of Iran’s nationwide social protests. This tactic was designed to entice victims into initiating the infection process without suspicion.
The Infection Chain: From Phishing to Covert C2
The campaign commenced with a malicious Excel spreadsheet titled “Final List_Tehran.xlsm.” This document was meticulously designed to appear as a legitimate file related to the social unrest in Iran. Notably, the file referenced “January 1404” of the Iranian calendar, correlating to late December 2025 through January 2026, indicating a deliberate effort to align the bait with contemporary real-world events and enhance its credibility.
Upon a victim opening the Excel document and enabling its embedded macros, the sophisticated infection sequence silently began to execute in the background. The entire attack pipeline seamlessly integrated GitHub, Google Drive, and Telegram, creating a robust and stealthy infrastructure for payload delivery, configuration retrieval, and ongoing command-and-control communications. By routing malicious traffic through these widely trusted and utilized platforms, OilRig effectively minimized the likelihood of detection by standard security monitoring systems.

Inside the LSB Steganography Attack Chain
The infection mechanism deployed in this campaign was engineered with extreme precision to circumvent security alerts at every stage. Once the victim activated macros within the Excel file, the embedded VBA code surreptitiously decoded C# source code stored within the document’s CustomXMLParts section. Subsequently, it leveraged the legitimate Windows compiler, csc.exe, to compile and construct a functional malicious loader on the compromised machine, saving it as AppVStreamingUX_Multi_User.dll.
This loader then initiated a connection to a GitHub repository associated with the account “johnpeterson1304.” From this repository, it retrieved a text file named “tamiManager.txt.” After decoding the Base64-encoded content of this file, the loader obtained a Google Drive link that pointed to an image file named “MIO9.png.”

While the “MIO9.png” image appeared entirely normal to the unsuspecting eye, it covertly contained encrypted C2 configuration data embedded within its least significant pixel bits. Employing a custom LSB extraction algorithm, followed by a combination of Base64 and XOR decryption, the loader successfully retrieved the complete C2 setup. This configuration included a Telegram Bot token, a chat ID, and five distinct module download addresses, designated m1 through m5.
These modules facilitated various malicious functionalities, including persistence (pr), file upload (up), file download (do), command execution (cm), and application launch (runApp). Crucially, each of these modules was loaded directly into memory, a technique designed to avoid leaving forensic artifacts on disk that could be detected by endpoint security solutions.
To ensure persistent access across system reboots, OilRig employed Windows scheduled tasks to maintain the malware’s presence on the compromised machine. Furthermore, the malware transmitted an “is online” heartbeat message via the Telegram Bot API each time it activated, providing the attackers with real-time confirmation of continued control over the infected system.
What You Should Do
- Disable Macros by Default: Configure Microsoft Office applications to disable macro execution from untrusted sources. Educate users on the risks of enabling macros in documents from unknown or suspicious senders.
- Enhance Network Monitoring: Implement robust network monitoring rules to detect and flag unusual outbound traffic directed towards legitimate cloud services like GitHub, Google Drive, and Telegram, especially when originating from internal systems.
- Deploy Advanced Endpoint Detection: Utilize Endpoint Detection and Response (EDR) solutions capable of identifying sophisticated in-memory attack techniques such as DLL loading, DLL side-loading, and process injection activity, which were central to this campaign’s stealth.
- User Awareness Training: Conduct regular cybersecurity awareness training for employees, emphasizing the dangers of phishing emails and the importance of scrutinizing attachments and links, particularly those related to sensitive or trending topics.
- Regular Security Audits: Perform routine security audits and vulnerability assessments to identify and remediate potential weaknesses in your infrastructure that could be exploited by APT groups.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.