A well-known Iranian state-sponsored hacking group called OilRig, also tracked as APT34 and Helix Kitten, has been found hiding its command-and-control (C2) server configuration inside a regular-looking image file stored on Google Drive.
The threat group used a technique called LSB (Least Significant Bit) steganography to quietly embed encrypted data into a PNG image, making the attack very hard to detect through standard security tools.
OilRig is a cyberespionage group that has been active since at least 2016 and is widely believed to be linked to Iranian intelligence agencies.
The group has a long history of targeting organizations across the Middle East, the United States, Europe, and parts of Asia, with a focus on government agencies, financial institutions, energy companies, telecom providers, and chemical firms.
Its primary goal is to steal sensitive political, military, and geostrategic information from high-value targets.
Analysts at the 360 Advanced Threat Research Institute identified multiple attack samples tied to this group during routine APT threat hunting operations.
These findings exposed a new and more advanced attack chain that combined phishing emails, cloud service abuse, image steganography, and in-memory execution to build a covert multi-stage campaign.
The group used the theme of Iran’s nationwide social protests to design convincing phishing documents that pushed victims into triggering the infection without knowing.
The campaign started with a malicious Excel file titled “Final List_Tehran.xlsm,” crafted to appear as a legitimate document tied to social unrest in Iran.
The file referenced January 1404 of the Iranian calendar, corresponding to late December 2025 through January 2026, suggesting the attackers designed the bait around real-world events to increase its credibility.
Once a victim opened the document and enabled macros, the full infection chain silently began executing in the background.
The overall attack linked GitHub, Google Drive, and Telegram together into a seamless pipeline for payload delivery, configuration retrieval, and ongoing command communication.
By routing malicious activity through trusted and widely used platforms, OilRig made it much harder for security tools to flag the traffic as suspicious.
Inside the LSB Steganography Attack Chain
The infection mechanism in this campaign was carefully built to avoid triggering security alerts at every step.
When the victim enabled macros in the Excel file, the embedded VBA code silently decoded C# source code stored in the document’s CustomXMLParts section, then used the legitimate Windows compiler csc.exe to build a working malicious loader on the victim’s machine, which was saved as AppVStreamingUX_Multi_User.dll.
The loader then connected to a GitHub repository under the account “johnpeterson1304” and pulled a text file named “tamiManager.txt.” After decoding its Base64 content, the loader received a Google Drive link pointing to an image named “MIO9.png”.
.webp)
This image appeared completely normal but secretly carried encrypted C2 configuration data embedded within its least significant pixel bits.
Using a custom LSB extraction algorithm followed by Base64 plus XOR decryption, the loader retrieved the full C2 setup, which contained a Telegram Bot token, a chat ID, and five module download addresses labeled m1 through m5.
These modules handled persistence (pr), file upload (up), file download (do), command execution (cm), and application launch (runApp), and each one was loaded directly into memory to avoid leaving files on disk that security tools could scan.
To maintain access after a reboot, OilRig used Windows scheduled tasks to keep the malware running persistently on the compromised machine, and the malware sent an “is online” heartbeat message through the Telegram Bot API every time it activated, giving the attacker real-time confirmation that the system remained under their control.
Security teams should disable macro execution in Office files received from untrusted sources and set up network monitoring rules to catch unusual outbound traffic directed at GitHub or Google Drive.
Organizations are also strongly advised to deploy endpoint detection solutions capable of identifying in-memory DLL loading, DLL side-loading, and process injection activity, all of which were key components of the attack technique used throughout this campaign.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
