A sophisticated attack campaign using steganographic techniques to hide malicious code within ordinary JPEG image files, delivering a fully undetectable (FUD) ransomware payload that bypasses traditional security solutions.
The attack exploits the metadata structure of JPEG files to conceal PowerShell code that, when triggered, downloads and executes ransomware without raising security alerts.
This technique, known as stegomalware, represents an evolution in threat actors’ ability to circumvent detection mechanisms.
.png
)
Stegomalware operates by building a steganographic system to hide malicious data within its resources and then extracts and executes them dynamically.
It’s considered one of the most sophisticated and stealthy ways of obfuscation currently being deployed by threat actors.
Multi-Stage Ransomware Attack With JPG Files
According to Aux Grep, the attack begins when victims receive seemingly innocent JPG images through email, social media, or compromised websites.
Hidden within the EXIF data of these images is obfuscated PowerShell code designed to initiate the attack sequence.
When the image is opened, a secondary component-typically an Office document containing a macro-extracts and executes the hidden code using commands similar to:
Once executed, the PowerShell script downloads a JPG file containing a Base64-encoded .NET assembly hidden between specific markers.
This assembly then loads and executes the final ransomware payload, which encrypts the victim’s files while remaining undetected by security solutions.
This attack is particularly dangerous because of its use of FUD techniques. Malware authors understand how security products work and specifically design their code to evade detection.
The frequency of virus definition updates has significantly increased, but FUD malware stays ahead by using cryptors to encrypt their code, making it unique and ensuring it doesn’t match anything in virus databases.
The steganographic approach provides an additional layer of protection for attackers. Since the malicious code is hidden within pixel data rather than metadata, it becomes nearly invisible to traditional detection tools.
In a recent campaign documented in March 2025, researchers identified attackers using this technique to distribute various RAT (Remote Access Trojan) malware, including LimeRAT, AgentTesla, and Remcos, followed by the deployment of ransomware.
The initial infection vector typically involves spam emails with attached images. Once downloaded, the concealed PowerShell script activates, extracting the hidden code and establishing a connection to command-and-control servers before deploying the ransomware payload.
Protection Measures
Security experts recommend several measures to protect against these attacks:
- Implement advanced email filtering solutions that analyze embedded image components.
- Disable automatic execution of macros in Office documents.
- Maintain regular, offline backups of critical data.
- Deploy security solutions with behavioral analysis capabilities rather than signature-based detection alone.
- Exercise caution when downloading images from untrusted sources.
As attackers continue to refine their techniques, organizations must remain vigilant against these increasingly sophisticated threats that turn ordinary images into vectors for devastating ransomware attacks.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
