APT-C-49 (OilRig), an Iranian state-sponsored advanced persistent threat group also known as APT34 and Helix Kitten, has deployed a sophisticated new attack campaign that conceals command-and-control configurations inside Google Drive images using LSB steganography.
The group, which has been active since at least 2014, primarily targets government, energy, telecommunications, and financial sectors across the Middle East, the United States, Europe, and Asia.
The recent campaign leverages a highly covert attack chain combining cloud service abuse, steganography, and memory execution techniques.
The attack begins with a malicious Excel file themed around Iranian nationwide protests, using social engineering lures like “Tehran final list” to trick victims into enabling macros.
Security researchers at the 360 Advanced Threat Research Institute discovered the attack samples during routine APT threat hunting operations in early 2026.
Once macros are enabled, the VBA code decodes C# source code from CustomXMLParts. It uses the legitimate Windows compiler csc.exe to compile it into a malicious loader.
This fileless technique helps the malware evade traditional antivirus detection by avoiding dropping pre-compiled executables onto the disk.
LSB Steganography Conceals Data
The compiled loader accesses a hardcoded GitHub repository to retrieve encoded configuration data pointing to a Google Drive shared link.
The Google Drive link downloads what appears to be an ordinary image file, but it contains encrypted configuration information embedded using LSB (least significant bit) steganography.
LSB steganography works by replacing the least significant bits of pixel values in digital images with hidden data, making alterations nearly imperceptible to the human eye.
After downloading the image, the loader extracts the hidden configuration using a specific LSB algorithm, then decrypts it using Base64 and XOR operations.
The decrypted configuration reveals download addresses for multiple subsequent modules including persistence, upload, download, command execution, and program execution components.
Base64 decode these objects to obtain the C# source code, AppVStreamingUX.exe.config, and fsvc.exe.config, and release the C# source code.
Following successful configuration extraction, the malware establishes an encrypted command-and-control channel via the Telegram Bot API.
This technique allows OilRig to blend malicious traffic with legitimate cloud communications, making detection significantly more challenging for security teams.
The malware loads each functional module dynamically into memory, supporting operations like DLL execution, file uploads and downloads, command execution, and arbitrary program launching.
OilRig has increasingly relied on legitimate cloud platforms like Google Drive, GitHub, and Telegram to distribute malware and facilitate C2 communications.
This cloud abuse strategy effectively reduces the attack’s detection surface by hiding malicious activities within trusted services that organizations typically allow through their firewalls.
Attribution and Evolution
Security researchers attributed this campaign to APT-C-49 (OilRig) based on several key indicators.
When the CLR creates an AppDomain, it automatically triggers the InitializeNewDomain() method, which in turn starts the ExecuteCoreLogic() thread.
The attack chain structure shows strong consistency with historical APT34 tactics, including the use of Excel workbook events, VBA macros with Base64 decoding, and scheduled tasks for persistence.
Additionally, both initial test code and production samples contained Persian language comments, indicating the developers’ native language aligns with Iranian origins.
The campaign represents a significant evolution from OilRig’s earlier operations. The group has shifted from basic Excel macro-based loaders to sophisticated multi-stage attack chains featuring cloud service abuse, steganographic concealment, and fileless in-memory execution.
Configuration yields Google Drive links, which point to pr (persistent module), up (upload module), do (download module), cm (command execution module), and runApp (program execution module).
Organizations can protect against these sophisticated attacks by implementing several defensive measures. Network monitoring should flag unusual access patterns to cloud storage services and API-based communications with platforms like Telegram.
Security teams should monitor for suspicious macro-enabled Office documents, particularly those themed around regional social or political events.
Advanced behavioral analytics can help identify anomalous file compilation activities using legitimate Windows tools like csc.exe.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
