{"id":12433,"date":"2026-04-28T10:03:38","date_gmt":"2026-04-28T10:03:38","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/28\/oilrig-hides-c2-configuration-in-google-drive-image-using-lsb-steganography\/"},"modified":"2026-04-28T10:03:38","modified_gmt":"2026-04-28T10:03:38","slug":"oilrig-hides-c2-configuration-in-google-drive-image-using-lsb-steganography","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/28\/oilrig-hides-c2-configuration-in-google-drive-image-using-lsb-steganography\/","title":{"rendered":"OilRig Hides C2 Configuration in Google Drive Image Using LSB Steganography"},"content":{"rendered":"<p>    OilRig Hides C2 Configuration in Google Drive Image Using LSB Steganography<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A well-known Iranian state-sponsored hacking group called OilRig, also tracked as APT34 and Helix Kitten, has been found hiding its command-and-control (C2) server configuration inside a regular-looking image file stored on Google Drive. <\/p>\n<p>The threat group used a technique called LSB (Least Significant Bit) steganography to quietly embed encrypted data into a PNG image, making the attack very hard to detect through standard security tools.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/3375bd14-03f2-46d8-92df-b0636c17bd9d\/OilRig-Hides-C2-Configuration-in-Google-Drive-Image-Using-LSB-Steganography.pdf?AWSAccessKeyId=ASIA2F3EMEYEVJQVJFZQ&amp;Signature=NQ8ewoetzKD4i3MBZ1mynFEpkKk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEA8aCXVzLWVhc3QtMSJHMEUCIEXHZsXxTL9OFdjWTDetWU96ebXE6kQ6pVRykfo7YJBCAiEAhfqYz9mfs5O8uaNWQbeUjmbMgIz0cbxlTbrfhmkhojYq%2FAQI2P%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDO5iHDQaH%2FUzKF4qnirQBGw%2BjZ3HN5laBUQY%2F4e9%2BH0ZScgYL%2B3x4G1UdtMojfp0Q75rJL6eJcbeNWJmi6di6DPg%2FqiamG20utTOiSQIMn4C2x7Oz27J%2FD2wJbXPMDfc%2FlhKk9zECiS0DL7zPHv7daeAT46UCk5a9U6ggsAQrktVXHLtAjA25sul4XM0UAhunwT3r8jBsUxyZ%2FO3efSb40kLmL2o7h9oD7CM48eQymgetLaENGgqHxW5Nj2Sp6VFLAF4b6htxePw5h39XGZuMa2ufcu3XtznErLvhF5lml9%2BE3xMtHlJwXsajNEb%2F%2BGDb50lBx6E6EdaZXodCOWsSz2rwQt%2B7fDVa8CwPb57z5sUpkF%2FUUBlPw00mzFd56UOdZzFLTxpEHa8dVNY7jrBhUqlC90FRA2Syl%2BV7Z%2BzGBZXN2fksx6GQmIMB4obKHWzR7a1fI8Y7HZSB3KixNrIVd4%2FfvI73zBlKI4xRU%2BRPliezGHYAyejV8BROdB9TS%2B1TlXGrr0IRfAc8o1HDwwEVStp2IqIBoNMp9BA51ongTeQXpX5whnFjoK4KvgzP%2Ft5NSVdVlJ1fsSanUs1mgqsSNe1cakeRwOx%2F1ear7G9qhhVYSB%2FJ9MNEpec4FHruommKwKGaXTC6mWTMDDTJ%2FvQYTg7IVSfdDTCl1EuOy5IN7zrHNzFUX7u3HGfcBXJCZoCnkvbVV0g354TTjfTkG3OYP%2BZI1%2BAuBpl1%2BpHD0uyXaZ7CEs0B8ithO9X20HzYO8KwdntBOYFROzCBTEf2oCI1Ktnqf4wkbu%2B78jDyDTqisEw4LTBzwY6mAFwoC6%2BCumJY7%2BVDK6w6GT4vAb9qEl95%2F%2F4iOxNkLTh99OM6M9VYzOERzoCfrEGTjnNeGQU6oJeh32cs9GHVbvjII%2BvGM%2FONdexcy4oQ6HAE1H41Cky3bsYF%2BgJOaubtFnWePaTnP9chFiCc%2FYmIZKNcvJjXbv0t2tpQeJVJhXaDs0dr4gP57lJDsyDW6ncRJI05xvdoqevZA%3D%3D&amp;Expires=1777360509\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>OilRig is a cyberespionage group that has been active since at least 2016 and is widely believed to be linked to Iranian intelligence agencies. <\/p>\n<p>The group has a long history of targeting organizations across the Middle East, the United States, Europe, and parts of Asia, with a focus on government agencies, financial institutions, energy companies, telecom providers, and chemical firms. <\/p>\n<p>Its primary goal is to steal sensitive political, military, and geostrategic information from high-value targets.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/3375bd14-03f2-46d8-92df-b0636c17bd9d\/OilRig-Hides-C2-Configuration-in-Google-Drive-Image-Using-LSB-Steganography.pdf?AWSAccessKeyId=ASIA2F3EMEYEVJQVJFZQ&amp;Signature=NQ8ewoetzKD4i3MBZ1mynFEpkKk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEA8aCXVzLWVhc3QtMSJHMEUCIEXHZsXxTL9OFdjWTDetWU96ebXE6kQ6pVRykfo7YJBCAiEAhfqYz9mfs5O8uaNWQbeUjmbMgIz0cbxlTbrfhmkhojYq%2FAQI2P%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDO5iHDQaH%2FUzKF4qnirQBGw%2BjZ3HN5laBUQY%2F4e9%2BH0ZScgYL%2B3x4G1UdtMojfp0Q75rJL6eJcbeNWJmi6di6DPg%2FqiamG20utTOiSQIMn4C2x7Oz27J%2FD2wJbXPMDfc%2FlhKk9zECiS0DL7zPHv7daeAT46UCk5a9U6ggsAQrktVXHLtAjA25sul4XM0UAhunwT3r8jBsUxyZ%2FO3efSb40kLmL2o7h9oD7CM48eQymgetLaENGgqHxW5Nj2Sp6VFLAF4b6htxePw5h39XGZuMa2ufcu3XtznErLvhF5lml9%2BE3xMtHlJwXsajNEb%2F%2BGDb50lBx6E6EdaZXodCOWsSz2rwQt%2B7fDVa8CwPb57z5sUpkF%2FUUBlPw00mzFd56UOdZzFLTxpEHa8dVNY7jrBhUqlC90FRA2Syl%2BV7Z%2BzGBZXN2fksx6GQmIMB4obKHWzR7a1fI8Y7HZSB3KixNrIVd4%2FfvI73zBlKI4xRU%2BRPliezGHYAyejV8BROdB9TS%2B1TlXGrr0IRfAc8o1HDwwEVStp2IqIBoNMp9BA51ongTeQXpX5whnFjoK4KvgzP%2Ft5NSVdVlJ1fsSanUs1mgqsSNe1cakeRwOx%2F1ear7G9qhhVYSB%2FJ9MNEpec4FHruommKwKGaXTC6mWTMDDTJ%2FvQYTg7IVSfdDTCl1EuOy5IN7zrHNzFUX7u3HGfcBXJCZoCnkvbVV0g354TTjfTkG3OYP%2BZI1%2BAuBpl1%2BpHD0uyXaZ7CEs0B8ithO9X20HzYO8KwdntBOYFROzCBTEf2oCI1Ktnqf4wkbu%2B78jDyDTqisEw4LTBzwY6mAFwoC6%2BCumJY7%2BVDK6w6GT4vAb9qEl95%2F%2F4iOxNkLTh99OM6M9VYzOERzoCfrEGTjnNeGQU6oJeh32cs9GHVbvjII%2BvGM%2FONdexcy4oQ6HAE1H41Cky3bsYF%2BgJOaubtFnWePaTnP9chFiCc%2FYmIZKNcvJjXbv0t2tpQeJVJhXaDs0dr4gP57lJDsyDW6ncRJI05xvdoqevZA%3D%3D&amp;Expires=1777360509\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><a href=\"https:\/\/www.360.cn\/n\/13004.html\" id=\"https:\/\/www.360.cn\/n\/13004.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Analysts at the 360 Advanced Threat Research Institute identified multiple attack samples<\/a> tied to this group during routine APT threat hunting operations. <\/p>\n<p>These findings exposed a new and more advanced attack chain that combined phishing emails, cloud service abuse, image steganography, and in-memory execution to build a covert multi-stage campaign. <\/p>\n<p>The group used the theme of Iran\u2019s nationwide social protests to design convincing phishing documents that pushed victims into triggering the infection without knowing.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/3375bd14-03f2-46d8-92df-b0636c17bd9d\/OilRig-Hides-C2-Configuration-in-Google-Drive-Image-Using-LSB-Steganography.pdf?AWSAccessKeyId=ASIA2F3EMEYEVJQVJFZQ&amp;Signature=NQ8ewoetzKD4i3MBZ1mynFEpkKk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEA8aCXVzLWVhc3QtMSJHMEUCIEXHZsXxTL9OFdjWTDetWU96ebXE6kQ6pVRykfo7YJBCAiEAhfqYz9mfs5O8uaNWQbeUjmbMgIz0cbxlTbrfhmkhojYq%2FAQI2P%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDO5iHDQaH%2FUzKF4qnirQBGw%2BjZ3HN5laBUQY%2F4e9%2BH0ZScgYL%2B3x4G1UdtMojfp0Q75rJL6eJcbeNWJmi6di6DPg%2FqiamG20utTOiSQIMn4C2x7Oz27J%2FD2wJbXPMDfc%2FlhKk9zECiS0DL7zPHv7daeAT46UCk5a9U6ggsAQrktVXHLtAjA25sul4XM0UAhunwT3r8jBsUxyZ%2FO3efSb40kLmL2o7h9oD7CM48eQymgetLaENGgqHxW5Nj2Sp6VFLAF4b6htxePw5h39XGZuMa2ufcu3XtznErLvhF5lml9%2BE3xMtHlJwXsajNEb%2F%2BGDb50lBx6E6EdaZXodCOWsSz2rwQt%2B7fDVa8CwPb57z5sUpkF%2FUUBlPw00mzFd56UOdZzFLTxpEHa8dVNY7jrBhUqlC90FRA2Syl%2BV7Z%2BzGBZXN2fksx6GQmIMB4obKHWzR7a1fI8Y7HZSB3KixNrIVd4%2FfvI73zBlKI4xRU%2BRPliezGHYAyejV8BROdB9TS%2B1TlXGrr0IRfAc8o1HDwwEVStp2IqIBoNMp9BA51ongTeQXpX5whnFjoK4KvgzP%2Ft5NSVdVlJ1fsSanUs1mgqsSNe1cakeRwOx%2F1ear7G9qhhVYSB%2FJ9MNEpec4FHruommKwKGaXTC6mWTMDDTJ%2FvQYTg7IVSfdDTCl1EuOy5IN7zrHNzFUX7u3HGfcBXJCZoCnkvbVV0g354TTjfTkG3OYP%2BZI1%2BAuBpl1%2BpHD0uyXaZ7CEs0B8ithO9X20HzYO8KwdntBOYFROzCBTEf2oCI1Ktnqf4wkbu%2B78jDyDTqisEw4LTBzwY6mAFwoC6%2BCumJY7%2BVDK6w6GT4vAb9qEl95%2F%2F4iOxNkLTh99OM6M9VYzOERzoCfrEGTjnNeGQU6oJeh32cs9GHVbvjII%2BvGM%2FONdexcy4oQ6HAE1H41Cky3bsYF%2BgJOaubtFnWePaTnP9chFiCc%2FYmIZKNcvJjXbv0t2tpQeJVJhXaDs0dr4gP57lJDsyDW6ncRJI05xvdoqevZA%3D%3D&amp;Expires=1777360509\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The campaign started with a malicious Excel file titled \u201cFinal List_Tehran.xlsm,\u201d crafted to appear as a legitimate document tied to social unrest in Iran. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhba7cngJJFc1lnLXOXs2MFYpNqgT2PIDPxXSF4YiKzxU6MkneHY2eirzQA-vVOCjBhH2xEeAi_rOWrJUZKCPhLzLwkRCjZaheofyiWOjl7XsnXHal2t62nBB4SKNACyNLgmY2POFQP8_DqPM30DwZt2F0fHheWmDtjrI-6eWg9fBjEVAHfP8jKjU9aZBA\/s16000\/Attack%2520Flow%2520%28Source%2520-%2520360%29.webp?ssl=1\" alt=\"Attack Flow (Source - 360)\"><figcaption class=\"wp-element-caption\">Attack Flow (Source \u2013 360)<\/figcaption><\/figure>\n<\/div>\n<p>The file referenced January 1404 of the Iranian calendar, corresponding to late December 2025 through January 2026, suggesting the attackers designed the bait around real-world events to increase its credibility. <\/p>\n<p>Once a victim opened the document and enabled macros, the full <a href=\"https:\/\/cybersecuritynews.com\/darkcloud-stealer-employs-new-infection-chain\/\" id=\"120282\" target=\"_blank\" rel=\"noreferrer noopener\">infection chain<\/a> silently began executing in the background.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/3375bd14-03f2-46d8-92df-b0636c17bd9d\/OilRig-Hides-C2-Configuration-in-Google-Drive-Image-Using-LSB-Steganography.pdf?AWSAccessKeyId=ASIA2F3EMEYEVJQVJFZQ&amp;Signature=NQ8ewoetzKD4i3MBZ1mynFEpkKk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEA8aCXVzLWVhc3QtMSJHMEUCIEXHZsXxTL9OFdjWTDetWU96ebXE6kQ6pVRykfo7YJBCAiEAhfqYz9mfs5O8uaNWQbeUjmbMgIz0cbxlTbrfhmkhojYq%2FAQI2P%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDO5iHDQaH%2FUzKF4qnirQBGw%2BjZ3HN5laBUQY%2F4e9%2BH0ZScgYL%2B3x4G1UdtMojfp0Q75rJL6eJcbeNWJmi6di6DPg%2FqiamG20utTOiSQIMn4C2x7Oz27J%2FD2wJbXPMDfc%2FlhKk9zECiS0DL7zPHv7daeAT46UCk5a9U6ggsAQrktVXHLtAjA25sul4XM0UAhunwT3r8jBsUxyZ%2FO3efSb40kLmL2o7h9oD7CM48eQymgetLaENGgqHxW5Nj2Sp6VFLAF4b6htxePw5h39XGZuMa2ufcu3XtznErLvhF5lml9%2BE3xMtHlJwXsajNEb%2F%2BGDb50lBx6E6EdaZXodCOWsSz2rwQt%2B7fDVa8CwPb57z5sUpkF%2FUUBlPw00mzFd56UOdZzFLTxpEHa8dVNY7jrBhUqlC90FRA2Syl%2BV7Z%2BzGBZXN2fksx6GQmIMB4obKHWzR7a1fI8Y7HZSB3KixNrIVd4%2FfvI73zBlKI4xRU%2BRPliezGHYAyejV8BROdB9TS%2B1TlXGrr0IRfAc8o1HDwwEVStp2IqIBoNMp9BA51ongTeQXpX5whnFjoK4KvgzP%2Ft5NSVdVlJ1fsSanUs1mgqsSNe1cakeRwOx%2F1ear7G9qhhVYSB%2FJ9MNEpec4FHruommKwKGaXTC6mWTMDDTJ%2FvQYTg7IVSfdDTCl1EuOy5IN7zrHNzFUX7u3HGfcBXJCZoCnkvbVV0g354TTjfTkG3OYP%2BZI1%2BAuBpl1%2BpHD0uyXaZ7CEs0B8ithO9X20HzYO8KwdntBOYFROzCBTEf2oCI1Ktnqf4wkbu%2B78jDyDTqisEw4LTBzwY6mAFwoC6%2BCumJY7%2BVDK6w6GT4vAb9qEl95%2F%2F4iOxNkLTh99OM6M9VYzOERzoCfrEGTjnNeGQU6oJeh32cs9GHVbvjII%2BvGM%2FONdexcy4oQ6HAE1H41Cky3bsYF%2BgJOaubtFnWePaTnP9chFiCc%2FYmIZKNcvJjXbv0t2tpQeJVJhXaDs0dr4gP57lJDsyDW6ncRJI05xvdoqevZA%3D%3D&amp;Expires=1777360509\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The overall attack linked GitHub, Google Drive, and Telegram together into a seamless pipeline for payload delivery, configuration retrieval, and ongoing command communication. <\/p>\n<p>By routing malicious activity through trusted and widely used platforms, OilRig made it much harder for <a href=\"https:\/\/cybersecuritynews.com\/best-saas-security-tools\/\" id=\"43327\" target=\"_blank\" rel=\"noreferrer noopener\">security tools<\/a> to flag the traffic as suspicious.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/3375bd14-03f2-46d8-92df-b0636c17bd9d\/OilRig-Hides-C2-Configuration-in-Google-Drive-Image-Using-LSB-Steganography.pdf?AWSAccessKeyId=ASIA2F3EMEYEVJQVJFZQ&amp;Signature=NQ8ewoetzKD4i3MBZ1mynFEpkKk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEA8aCXVzLWVhc3QtMSJHMEUCIEXHZsXxTL9OFdjWTDetWU96ebXE6kQ6pVRykfo7YJBCAiEAhfqYz9mfs5O8uaNWQbeUjmbMgIz0cbxlTbrfhmkhojYq%2FAQI2P%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDO5iHDQaH%2FUzKF4qnirQBGw%2BjZ3HN5laBUQY%2F4e9%2BH0ZScgYL%2B3x4G1UdtMojfp0Q75rJL6eJcbeNWJmi6di6DPg%2FqiamG20utTOiSQIMn4C2x7Oz27J%2FD2wJbXPMDfc%2FlhKk9zECiS0DL7zPHv7daeAT46UCk5a9U6ggsAQrktVXHLtAjA25sul4XM0UAhunwT3r8jBsUxyZ%2FO3efSb40kLmL2o7h9oD7CM48eQymgetLaENGgqHxW5Nj2Sp6VFLAF4b6htxePw5h39XGZuMa2ufcu3XtznErLvhF5lml9%2BE3xMtHlJwXsajNEb%2F%2BGDb50lBx6E6EdaZXodCOWsSz2rwQt%2B7fDVa8CwPb57z5sUpkF%2FUUBlPw00mzFd56UOdZzFLTxpEHa8dVNY7jrBhUqlC90FRA2Syl%2BV7Z%2BzGBZXN2fksx6GQmIMB4obKHWzR7a1fI8Y7HZSB3KixNrIVd4%2FfvI73zBlKI4xRU%2BRPliezGHYAyejV8BROdB9TS%2B1TlXGrr0IRfAc8o1HDwwEVStp2IqIBoNMp9BA51ongTeQXpX5whnFjoK4KvgzP%2Ft5NSVdVlJ1fsSanUs1mgqsSNe1cakeRwOx%2F1ear7G9qhhVYSB%2FJ9MNEpec4FHruommKwKGaXTC6mWTMDDTJ%2FvQYTg7IVSfdDTCl1EuOy5IN7zrHNzFUX7u3HGfcBXJCZoCnkvbVV0g354TTjfTkG3OYP%2BZI1%2BAuBpl1%2BpHD0uyXaZ7CEs0B8ithO9X20HzYO8KwdntBOYFROzCBTEf2oCI1Ktnqf4wkbu%2B78jDyDTqisEw4LTBzwY6mAFwoC6%2BCumJY7%2BVDK6w6GT4vAb9qEl95%2F%2F4iOxNkLTh99OM6M9VYzOERzoCfrEGTjnNeGQU6oJeh32cs9GHVbvjII%2BvGM%2FONdexcy4oQ6HAE1H41Cky3bsYF%2BgJOaubtFnWePaTnP9chFiCc%2FYmIZKNcvJjXbv0t2tpQeJVJhXaDs0dr4gP57lJDsyDW6ncRJI05xvdoqevZA%3D%3D&amp;Expires=1777360509\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"inside-the-lsb-steganography-attack-chain\"><strong>Inside the LSB Steganography Attack Chain<\/strong><\/h2>\n<p>The infection mechanism in this campaign was carefully built to avoid triggering security alerts at every step. <\/p>\n<p>When the victim enabled macros in the Excel file, the embedded VBA code silently decoded C# source code stored in the document\u2019s CustomXMLParts section, then used the legitimate Windows compiler csc.exe to build a working malicious loader on the victim\u2019s machine, which was saved as AppVStreamingUX_Multi_User.dll.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/3375bd14-03f2-46d8-92df-b0636c17bd9d\/OilRig-Hides-C2-Configuration-in-Google-Drive-Image-Using-LSB-Steganography.pdf?AWSAccessKeyId=ASIA2F3EMEYEVJQVJFZQ&amp;Signature=NQ8ewoetzKD4i3MBZ1mynFEpkKk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEA8aCXVzLWVhc3QtMSJHMEUCIEXHZsXxTL9OFdjWTDetWU96ebXE6kQ6pVRykfo7YJBCAiEAhfqYz9mfs5O8uaNWQbeUjmbMgIz0cbxlTbrfhmkhojYq%2FAQI2P%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDO5iHDQaH%2FUzKF4qnirQBGw%2BjZ3HN5laBUQY%2F4e9%2BH0ZScgYL%2B3x4G1UdtMojfp0Q75rJL6eJcbeNWJmi6di6DPg%2FqiamG20utTOiSQIMn4C2x7Oz27J%2FD2wJbXPMDfc%2FlhKk9zECiS0DL7zPHv7daeAT46UCk5a9U6ggsAQrktVXHLtAjA25sul4XM0UAhunwT3r8jBsUxyZ%2FO3efSb40kLmL2o7h9oD7CM48eQymgetLaENGgqHxW5Nj2Sp6VFLAF4b6htxePw5h39XGZuMa2ufcu3XtznErLvhF5lml9%2BE3xMtHlJwXsajNEb%2F%2BGDb50lBx6E6EdaZXodCOWsSz2rwQt%2B7fDVa8CwPb57z5sUpkF%2FUUBlPw00mzFd56UOdZzFLTxpEHa8dVNY7jrBhUqlC90FRA2Syl%2BV7Z%2BzGBZXN2fksx6GQmIMB4obKHWzR7a1fI8Y7HZSB3KixNrIVd4%2FfvI73zBlKI4xRU%2BRPliezGHYAyejV8BROdB9TS%2B1TlXGrr0IRfAc8o1HDwwEVStp2IqIBoNMp9BA51ongTeQXpX5whnFjoK4KvgzP%2Ft5NSVdVlJ1fsSanUs1mgqsSNe1cakeRwOx%2F1ear7G9qhhVYSB%2FJ9MNEpec4FHruommKwKGaXTC6mWTMDDTJ%2FvQYTg7IVSfdDTCl1EuOy5IN7zrHNzFUX7u3HGfcBXJCZoCnkvbVV0g354TTjfTkG3OYP%2BZI1%2BAuBpl1%2BpHD0uyXaZ7CEs0B8ithO9X20HzYO8KwdntBOYFROzCBTEf2oCI1Ktnqf4wkbu%2B78jDyDTqisEw4LTBzwY6mAFwoC6%2BCumJY7%2BVDK6w6GT4vAb9qEl95%2F%2F4iOxNkLTh99OM6M9VYzOERzoCfrEGTjnNeGQU6oJeh32cs9GHVbvjII%2BvGM%2FONdexcy4oQ6HAE1H41Cky3bsYF%2BgJOaubtFnWePaTnP9chFiCc%2FYmIZKNcvJjXbv0t2tpQeJVJhXaDs0dr4gP57lJDsyDW6ncRJI05xvdoqevZA%3D%3D&amp;Expires=1777360509\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The loader then connected to a GitHub repository under the account \u201cjohnpeterson1304\u201d and pulled a text file named \u201ctamiManager.txt.\u201d After decoding its Base64 content, the loader received a Google Drive link pointing to an image named \u201cMIO9.png\u201d. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgGmR_yYOgK1_5Wr5M4t5hT9vzXrpOjRVoCINQt-RF3OowqxCbvw7DXP4jpXfsBkY0zwEDVUrnWuVuToNLJLIKh6jAcoKadQCy7H5heJ7IWXhUnxLmtHqXVE0TUSzUSRS7vXW35aa_ZY5iN1Sw_AasXShLmoKCQzhJTjnE8v1Jo3A8VXI3ny8pBqg4JmDQ\/s16000\/OilRig%2520Steganographic%2520PNG%2520%28Source%2520-%2520360%29.webp?ssl=1\" alt=\"OilRig Steganographic PNG (Source - 360)\"><figcaption class=\"wp-element-caption\">OilRig Steganographic PNG (Source \u2013 360)<\/figcaption><\/figure>\n<\/div>\n<p>This image appeared completely normal but secretly carried encrypted C2 configuration data embedded within its least significant pixel bits.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/3375bd14-03f2-46d8-92df-b0636c17bd9d\/OilRig-Hides-C2-Configuration-in-Google-Drive-Image-Using-LSB-Steganography.pdf?AWSAccessKeyId=ASIA2F3EMEYEVJQVJFZQ&amp;Signature=NQ8ewoetzKD4i3MBZ1mynFEpkKk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEA8aCXVzLWVhc3QtMSJHMEUCIEXHZsXxTL9OFdjWTDetWU96ebXE6kQ6pVRykfo7YJBCAiEAhfqYz9mfs5O8uaNWQbeUjmbMgIz0cbxlTbrfhmkhojYq%2FAQI2P%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDO5iHDQaH%2FUzKF4qnirQBGw%2BjZ3HN5laBUQY%2F4e9%2BH0ZScgYL%2B3x4G1UdtMojfp0Q75rJL6eJcbeNWJmi6di6DPg%2FqiamG20utTOiSQIMn4C2x7Oz27J%2FD2wJbXPMDfc%2FlhKk9zECiS0DL7zPHv7daeAT46UCk5a9U6ggsAQrktVXHLtAjA25sul4XM0UAhunwT3r8jBsUxyZ%2FO3efSb40kLmL2o7h9oD7CM48eQymgetLaENGgqHxW5Nj2Sp6VFLAF4b6htxePw5h39XGZuMa2ufcu3XtznErLvhF5lml9%2BE3xMtHlJwXsajNEb%2F%2BGDb50lBx6E6EdaZXodCOWsSz2rwQt%2B7fDVa8CwPb57z5sUpkF%2FUUBlPw00mzFd56UOdZzFLTxpEHa8dVNY7jrBhUqlC90FRA2Syl%2BV7Z%2BzGBZXN2fksx6GQmIMB4obKHWzR7a1fI8Y7HZSB3KixNrIVd4%2FfvI73zBlKI4xRU%2BRPliezGHYAyejV8BROdB9TS%2B1TlXGrr0IRfAc8o1HDwwEVStp2IqIBoNMp9BA51ongTeQXpX5whnFjoK4KvgzP%2Ft5NSVdVlJ1fsSanUs1mgqsSNe1cakeRwOx%2F1ear7G9qhhVYSB%2FJ9MNEpec4FHruommKwKGaXTC6mWTMDDTJ%2FvQYTg7IVSfdDTCl1EuOy5IN7zrHNzFUX7u3HGfcBXJCZoCnkvbVV0g354TTjfTkG3OYP%2BZI1%2BAuBpl1%2BpHD0uyXaZ7CEs0B8ithO9X20HzYO8KwdntBOYFROzCBTEf2oCI1Ktnqf4wkbu%2B78jDyDTqisEw4LTBzwY6mAFwoC6%2BCumJY7%2BVDK6w6GT4vAb9qEl95%2F%2F4iOxNkLTh99OM6M9VYzOERzoCfrEGTjnNeGQU6oJeh32cs9GHVbvjII%2BvGM%2FONdexcy4oQ6HAE1H41Cky3bsYF%2BgJOaubtFnWePaTnP9chFiCc%2FYmIZKNcvJjXbv0t2tpQeJVJhXaDs0dr4gP57lJDsyDW6ncRJI05xvdoqevZA%3D%3D&amp;Expires=1777360509\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Using a custom LSB extraction algorithm followed by Base64 plus XOR decryption, the loader retrieved the full C2 setup, which contained a Telegram Bot token, a chat ID, and five module download addresses labeled m1 through m5. <\/p>\n<p>These modules handled persistence (pr), file upload (up), file download (do), command execution (cm), and application launch (runApp), and each one was loaded directly into memory to avoid leaving files on disk that security tools could scan.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/3375bd14-03f2-46d8-92df-b0636c17bd9d\/OilRig-Hides-C2-Configuration-in-Google-Drive-Image-Using-LSB-Steganography.pdf?AWSAccessKeyId=ASIA2F3EMEYEVJQVJFZQ&amp;Signature=NQ8ewoetzKD4i3MBZ1mynFEpkKk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEA8aCXVzLWVhc3QtMSJHMEUCIEXHZsXxTL9OFdjWTDetWU96ebXE6kQ6pVRykfo7YJBCAiEAhfqYz9mfs5O8uaNWQbeUjmbMgIz0cbxlTbrfhmkhojYq%2FAQI2P%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDO5iHDQaH%2FUzKF4qnirQBGw%2BjZ3HN5laBUQY%2F4e9%2BH0ZScgYL%2B3x4G1UdtMojfp0Q75rJL6eJcbeNWJmi6di6DPg%2FqiamG20utTOiSQIMn4C2x7Oz27J%2FD2wJbXPMDfc%2FlhKk9zECiS0DL7zPHv7daeAT46UCk5a9U6ggsAQrktVXHLtAjA25sul4XM0UAhunwT3r8jBsUxyZ%2FO3efSb40kLmL2o7h9oD7CM48eQymgetLaENGgqHxW5Nj2Sp6VFLAF4b6htxePw5h39XGZuMa2ufcu3XtznErLvhF5lml9%2BE3xMtHlJwXsajNEb%2F%2BGDb50lBx6E6EdaZXodCOWsSz2rwQt%2B7fDVa8CwPb57z5sUpkF%2FUUBlPw00mzFd56UOdZzFLTxpEHa8dVNY7jrBhUqlC90FRA2Syl%2BV7Z%2BzGBZXN2fksx6GQmIMB4obKHWzR7a1fI8Y7HZSB3KixNrIVd4%2FfvI73zBlKI4xRU%2BRPliezGHYAyejV8BROdB9TS%2B1TlXGrr0IRfAc8o1HDwwEVStp2IqIBoNMp9BA51ongTeQXpX5whnFjoK4KvgzP%2Ft5NSVdVlJ1fsSanUs1mgqsSNe1cakeRwOx%2F1ear7G9qhhVYSB%2FJ9MNEpec4FHruommKwKGaXTC6mWTMDDTJ%2FvQYTg7IVSfdDTCl1EuOy5IN7zrHNzFUX7u3HGfcBXJCZoCnkvbVV0g354TTjfTkG3OYP%2BZI1%2BAuBpl1%2BpHD0uyXaZ7CEs0B8ithO9X20HzYO8KwdntBOYFROzCBTEf2oCI1Ktnqf4wkbu%2B78jDyDTqisEw4LTBzwY6mAFwoC6%2BCumJY7%2BVDK6w6GT4vAb9qEl95%2F%2F4iOxNkLTh99OM6M9VYzOERzoCfrEGTjnNeGQU6oJeh32cs9GHVbvjII%2BvGM%2FONdexcy4oQ6HAE1H41Cky3bsYF%2BgJOaubtFnWePaTnP9chFiCc%2FYmIZKNcvJjXbv0t2tpQeJVJhXaDs0dr4gP57lJDsyDW6ncRJI05xvdoqevZA%3D%3D&amp;Expires=1777360509\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>To maintain access after a reboot, OilRig used Windows scheduled tasks to keep the malware running persistently on the compromised machine, and the malware sent an \u201cis online\u201d heartbeat message through the <a href=\"https:\/\/cybersecuritynews.com\/new-resokerrat-uses-telegram-bot\/\" id=\"146647\" target=\"_blank\" rel=\"noreferrer noopener\">Telegram Bot<\/a> API every time it activated, giving the attacker real-time confirmation that the system remained under their control.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/3375bd14-03f2-46d8-92df-b0636c17bd9d\/OilRig-Hides-C2-Configuration-in-Google-Drive-Image-Using-LSB-Steganography.pdf?AWSAccessKeyId=ASIA2F3EMEYEVJQVJFZQ&amp;Signature=NQ8ewoetzKD4i3MBZ1mynFEpkKk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEA8aCXVzLWVhc3QtMSJHMEUCIEXHZsXxTL9OFdjWTDetWU96ebXE6kQ6pVRykfo7YJBCAiEAhfqYz9mfs5O8uaNWQbeUjmbMgIz0cbxlTbrfhmkhojYq%2FAQI2P%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDO5iHDQaH%2FUzKF4qnirQBGw%2BjZ3HN5laBUQY%2F4e9%2BH0ZScgYL%2B3x4G1UdtMojfp0Q75rJL6eJcbeNWJmi6di6DPg%2FqiamG20utTOiSQIMn4C2x7Oz27J%2FD2wJbXPMDfc%2FlhKk9zECiS0DL7zPHv7daeAT46UCk5a9U6ggsAQrktVXHLtAjA25sul4XM0UAhunwT3r8jBsUxyZ%2FO3efSb40kLmL2o7h9oD7CM48eQymgetLaENGgqHxW5Nj2Sp6VFLAF4b6htxePw5h39XGZuMa2ufcu3XtznErLvhF5lml9%2BE3xMtHlJwXsajNEb%2F%2BGDb50lBx6E6EdaZXodCOWsSz2rwQt%2B7fDVa8CwPb57z5sUpkF%2FUUBlPw00mzFd56UOdZzFLTxpEHa8dVNY7jrBhUqlC90FRA2Syl%2BV7Z%2BzGBZXN2fksx6GQmIMB4obKHWzR7a1fI8Y7HZSB3KixNrIVd4%2FfvI73zBlKI4xRU%2BRPliezGHYAyejV8BROdB9TS%2B1TlXGrr0IRfAc8o1HDwwEVStp2IqIBoNMp9BA51ongTeQXpX5whnFjoK4KvgzP%2Ft5NSVdVlJ1fsSanUs1mgqsSNe1cakeRwOx%2F1ear7G9qhhVYSB%2FJ9MNEpec4FHruommKwKGaXTC6mWTMDDTJ%2FvQYTg7IVSfdDTCl1EuOy5IN7zrHNzFUX7u3HGfcBXJCZoCnkvbVV0g354TTjfTkG3OYP%2BZI1%2BAuBpl1%2BpHD0uyXaZ7CEs0B8ithO9X20HzYO8KwdntBOYFROzCBTEf2oCI1Ktnqf4wkbu%2B78jDyDTqisEw4LTBzwY6mAFwoC6%2BCumJY7%2BVDK6w6GT4vAb9qEl95%2F%2F4iOxNkLTh99OM6M9VYzOERzoCfrEGTjnNeGQU6oJeh32cs9GHVbvjII%2BvGM%2FONdexcy4oQ6HAE1H41Cky3bsYF%2BgJOaubtFnWePaTnP9chFiCc%2FYmIZKNcvJjXbv0t2tpQeJVJhXaDs0dr4gP57lJDsyDW6ncRJI05xvdoqevZA%3D%3D&amp;Expires=1777360509\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Security teams should disable macro execution in Office files received from untrusted sources and set up network monitoring rules to catch unusual outbound traffic directed at GitHub or Google Drive. <\/p>\n<p>Organizations are also strongly advised to deploy endpoint detection solutions capable of identifying in-memory DLL loading, <a href=\"https:\/\/cybersecuritynews.com\/hackers-employ-dll-side-loading\/\" id=\"96308\" target=\"_blank\" rel=\"noreferrer noopener\">DLL side-loading<\/a>, and process injection activity, all of which were key components of the attack technique used throughout this campaign.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/oilrig-hides-c2-configuration\/\">OilRig Hides C2 Configuration in Google Drive Image Using LSB Steganography<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/oilrig-hides-c2-configuration\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>OilRig Hides C2 Configuration in Google Drive Image Using LSB Steganography A well-known Iranian state-sponsored hacking group called OilRig, also tracked as APT34 and Helix Kitten, has been found hiding its command-and-control (C2) server configuration inside a regular-looking image file stored on Google Drive. The threat group used a technique called LSB (Least Significant Bit) [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-12433","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12433"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12433"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12433\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}