Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/Threats/OilRig APT Hides C2 Config in Google Drive Images with Steganography
Threats

OilRig APT Hides C2 Config in Google Drive Images with Steganography

Key Takeaways The Iranian state-sponsored APT group OilRig (also known as APT34 or Helix Kitten) has been observed employing a sophisticated new attack chain. This campaign leverages steganography to...

David kimber
David kimber
April 28, 2026 4 Min Read
41 0

Key Takeaways

  • The Iranian state-sponsored APT group OilRig (also known as APT34 or Helix Kitten) has been observed employing a sophisticated new attack chain.
  • This campaign leverages steganography to conceal command-and-control (C2) configurations within benign Google Drive images.
  • The attack begins with phishing documents themed around Iranian social protests, leading to a multi-stage infection involving GitHub, Google Drive, and Telegram for covert communication and payload delivery.
  • Targets include government agencies, financial institutions, energy companies, telecom providers, and chemical firms across the Middle East, the United States, Europe, and parts of Asia.

The notorious Iranian state-sponsored advanced persistent threat (APT) group, OilRig (also identified as APT34 and Helix Kitten), has unveiled a new, highly evasive attack methodology. Researchers have uncovered evidence of the group embedding encrypted command-and-control (C2) configurations within seemingly innocuous images hosted on Google Drive, utilizing a technique known as Least Significant Bit (LSB) steganography.

Table Of Content

  • Key Takeaways
  • OilRig’s Strategic Objectives and Evolving Tactics
  • The Infection Chain: From Phishing to Covert C2
  • Inside the LSB Steganography Attack Chain
  • What You Should Do

This sophisticated approach allows the threat actors to hide critical malicious data within standard PNG image files, rendering detection by conventional security tools significantly more challenging.

OilRig’s Strategic Objectives and Evolving Tactics

Active since at least 2016, OilRig is widely recognized for its ties to Iranian intelligence services. The group’s operational history includes extensive cyberespionage campaigns targeting high-value entities across the Middle East, the United States, Europe, and parts of Asia. Primary targets consistently include government bodies, financial organizations, energy sector firms, telecommunications providers, and chemical industries. OilRig’s overarching mission remains the exfiltration of sensitive political, military, and geostrategic intelligence.

Analysts at the 360 Advanced Threat Research Institute recently discovered several attack samples attributed to OilRig during their routine APT threat hunting activities. These findings shed light on a significantly more advanced attack chain. This new methodology intricately combines social engineering via phishing emails, abuse of legitimate cloud services, image steganography, and in-memory execution to orchestrate a covert, multi-stage campaign.

The threat group crafted compelling phishing documents that exploited the sensitive topic of Iran’s nationwide social protests. This tactic was designed to entice victims into initiating the infection process without suspicion.

The Infection Chain: From Phishing to Covert C2

The campaign commenced with a malicious Excel spreadsheet titled “Final List_Tehran.xlsm.” This document was meticulously designed to appear as a legitimate file related to the social unrest in Iran. Notably, the file referenced “January 1404” of the Iranian calendar, correlating to late December 2025 through January 2026, indicating a deliberate effort to align the bait with contemporary real-world events and enhance its credibility.

Upon a victim opening the Excel document and enabling its embedded macros, the sophisticated infection sequence silently began to execute in the background. The entire attack pipeline seamlessly integrated GitHub, Google Drive, and Telegram, creating a robust and stealthy infrastructure for payload delivery, configuration retrieval, and ongoing command-and-control communications. By routing malicious traffic through these widely trusted and utilized platforms, OilRig effectively minimized the likelihood of detection by standard security monitoring systems.

Attack Flow (Source - 360)
Attack Flow (Source – 360)

Inside the LSB Steganography Attack Chain

The infection mechanism deployed in this campaign was engineered with extreme precision to circumvent security alerts at every stage. Once the victim activated macros within the Excel file, the embedded VBA code surreptitiously decoded C# source code stored within the document’s CustomXMLParts section. Subsequently, it leveraged the legitimate Windows compiler, csc.exe, to compile and construct a functional malicious loader on the compromised machine, saving it as AppVStreamingUX_Multi_User.dll.

This loader then initiated a connection to a GitHub repository associated with the account “johnpeterson1304.” From this repository, it retrieved a text file named “tamiManager.txt.” After decoding the Base64-encoded content of this file, the loader obtained a Google Drive link that pointed to an image file named “MIO9.png.”

OilRig Steganographic PNG (Source - 360)
OilRig Steganographic PNG (Source – 360)

While the “MIO9.png” image appeared entirely normal to the unsuspecting eye, it covertly contained encrypted C2 configuration data embedded within its least significant pixel bits. Employing a custom LSB extraction algorithm, followed by a combination of Base64 and XOR decryption, the loader successfully retrieved the complete C2 setup. This configuration included a Telegram Bot token, a chat ID, and five distinct module download addresses, designated m1 through m5.

These modules facilitated various malicious functionalities, including persistence (pr), file upload (up), file download (do), command execution (cm), and application launch (runApp). Crucially, each of these modules was loaded directly into memory, a technique designed to avoid leaving forensic artifacts on disk that could be detected by endpoint security solutions.

To ensure persistent access across system reboots, OilRig employed Windows scheduled tasks to maintain the malware’s presence on the compromised machine. Furthermore, the malware transmitted an “is online” heartbeat message via the Telegram Bot API each time it activated, providing the attackers with real-time confirmation of continued control over the infected system.

What You Should Do

  • Disable Macros by Default: Configure Microsoft Office applications to disable macro execution from untrusted sources. Educate users on the risks of enabling macros in documents from unknown or suspicious senders.
  • Enhance Network Monitoring: Implement robust network monitoring rules to detect and flag unusual outbound traffic directed towards legitimate cloud services like GitHub, Google Drive, and Telegram, especially when originating from internal systems.
  • Deploy Advanced Endpoint Detection: Utilize Endpoint Detection and Response (EDR) solutions capable of identifying sophisticated in-memory attack techniques such as DLL loading, DLL side-loading, and process injection activity, which were central to this campaign’s stealth.
  • User Awareness Training: Conduct regular cybersecurity awareness training for employees, emphasizing the dangers of phishing emails and the importance of scrutinizing attachments and links, particularly those related to sensitive or trending topics.
  • Regular Security Audits: Perform routine security audits and vulnerability assessments to identify and remediate potential weaknesses in your infrastructure that could be exploited by APT groups.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

New Android Banking Malware Hijacks Accounts via Fake KYC and WhatsApp

Next Post

Windows RDP Vulnerability Exposes Image Fragments to Attackers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us