OilRig’s New Stealth Arsenal: Hiding C2 in Google Drive Pixels to Bypass All Defenses + Video

Listen to this Post

Featured Image

Introduction

Advanced Persistent Threat group APT34 (OilRig/Helix Kitten) has elevated its tradecraft by embedding encrypted command-and-control configurations directly into benign-looking PNG images hosted on Google Drive using LSB steganography. This cloud‑abuse technique, combined with memory‑only payload execution and Telegram‑based C2, creates a nearly invisible attack chain that evades traditional file‑based and network signature detections.

Learning Objectives

  • Understand how LSB steganography works and how attackers embed data into image pixels without visual changes.
  • Analyse the complete OilRig attack chain: macro‑based delivery, in‑memory compilation, cloud image steganography, and Telegram C2.
  • Learn practical detection and hunting techniques using open‑source steganalysis tools, EDR behaviour analytics, and network monitoring.

You Should Know

  1. LSB Steganography in the Cloud: The Core Technique

The attack’s technical foundation is Least Significant Bit (LSB) steganography applied to PNG images stored on Google Drive. In digital images, each pixel’s colour is represented by 8‑bit values (0–255) for red, green, and blue channels. LSB embedding replaces the least significant bit of each byte with one bit of the secret message. Because the least significant bit contributes at most 1/256th of the colour value, the human eye perceives no difference. A 1024×768 PNG image can hide approximately 786,432 bits (98 KB) of data—enough for multiple C2 configurations and module addresses.

OilRig used a custom LSB extraction algorithm followed by Base64 and XOR decryption to recover hidden data. Attackers can rotate images, update hidden payloads, or change C2 endpoints without altering the visible file, making persistent takedowns difficult.

Hands‑On Steganography Analysis

Linux / macOS – zsteg (best for PNG LSB analysis)

 Install zsteg (Ruby gem)
gem install zsteg

Analyse a PNG for LSB hidden data
zsteg -a suspicious.png

Extract all detectable LSB payloads
zsteg -E 'b1,rgb,lsb,xy' suspicious.png > extracted.bin

Check specific bit planes
zsteg --planes 0 suspicious.png

Linux – Steghide (supports JPEG, BMP, WAV)

 Install
sudo apt install steghide

Extract hidden data (requires passphrase)
steghide extract -sf carrier.jpg

Embed a file
steghide embed -cf cover.jpg -ef secret.txt

General Forensics Toolkit

 Binwalk – scan for embedded signatures
binwalk suspicious.png

Exiftool – inspect metadata anomalies
exiftool -a -u suspicious.png

Strings – search for readable text in binary
strings -n 8 suspicious.png

An automated steganography toolkit is available at GitHub – 0xleopards/Steganography-Toolkit, which bundles zsteg, steghide, binwalk, and `stegsolve` in a single installer.

Windows – PowerShell LSB Extraction (Conceptual)

 Load bitmap and extract LSBs (simplified)
Add-Type -AssemblyName System.Drawing
$bmp = [System.Drawing.Bitmap]::FromFile("C:\path\to\image.png")
$message = ""
for ($y = 0; $y -lt $bmp.Height; $y++) {
for ($x = 0; $x -lt $bmp.Width; $x++) {
$pixel = $bmp.GetPixel($x, $y)
$message += ($pixel.R -band 1).ToString()
$message += ($pixel.G -band 1).ToString()
$message += ($pixel.B -band 1).ToString()
}
}
  1. The Full Attack Chain: From Excel Macro to Memory Execution

OilRig’s 2026 campaign demonstrates a multi‑stage, fileless infection process that leverages trusted services at every step.

Stage 1 – Malicious Excel Lure

A spear‑phishing email delivers an Excel file named “Final List_Tehran.xlsm”, referencing real‑world Iranian social protests (January 1404 of the Iranian calendar, corresponding to late December 2025–January 2026).

Stage 2 – VBA Macro and In‑Memory Compilation

When macros are enabled, the VBA code extracts C source code hidden in CustomXMLParts. It then calls `csc.exe` (the legitimate Windows C compiler) to compile a malicious loader (AppVStreamingUX_Multi_User.dll) entirely in memory, leaving no file on disk.

Stage 3 – GitHub Config Retrieval

The loader contacts a GitHub repository (johnpeterson1304) to download tamiManager.txt. After Base64 decoding, it obtains a Google Drive link to an image named MIO9.png.

Stage 4 – LSB Steganography Extraction

The image is downloaded, and the loader extracts the hidden C2 configuration using a custom LSB extraction algorithm followed by Base64 plus XOR decryption. The retrieved data includes a Telegram Bot token, a chat ID, and five module download addresses (persistence, file upload, file download, command execution, application launch).

Stage 5 – Module Loading and C2 Communication

Modules are loaded directly into memory (no disk writes). Communication occurs over the Telegram Bot API, blending with legitimate chat traffic. Windows scheduled tasks provide persistence. Typical executed commands include:

schtasks /create /tn "WindowsMediaSync" /tr "C:\Windows\System32\AppVStreamingUX.exe" /sc onlogon

Windows Hunting Queries (PowerShell)

 Find recent csc.exe executions from unusual locations
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object {$_.Message -like "csc.exe"} | Format-List

Detect newly created scheduled tasks with suspicious names
schtasks /query /fo CSV | ConvertFrom-Csv | Where-Object {$<em>.TaskName -like "WindowsMedia" -or $</em>.TaskName -like "Sync"}

Monitor image downloads from Google Drive (network connections)
Get-NetTCPConnection -State Established | Where-Object {$_.RemoteAddress -like ".googleusercontent.com"}

3. Detection and Mitigation Strategies

Defending against this blended cloud‑fileless attack requires multiple security layers.

Network Detection

  • Monitor for unexpected image downloads from personal Google Drive or GitHub URLs within corporate environments.
  • Analyse Telegram API traffic to unknown bot IDs (port 443, domain api.telegram.org). Look for repeated small‑sized requests/responses characteristic of C2 polling.
  • Use SSL/TLS inspection to examine encrypted traffic for anomalous patterns.

Endpoint Detection and Response (EDR)

Modern EDR platforms should alert on:

– `csc.exe` invoked from temporary folders or user‑writable directories.
– `AppVStreamingUX.exe` or `dfsvc.exe` loading unsigned DLLs.
– PowerShell and .NET assemblies loading directly into memory without corresponding file creation.

Group Policy Hardening (Windows)

 Disable Office macros from internet sources
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value 4

Restrict csc.exe execution to approved paths via AppLocker
$rule = New-AppLockerPolicy -RuleType Exe -User Everyone -Path "%ProgramFiles%\dotnet\" -Action Allow
Set-AppLockerPolicy -Policy $rule

Block Telegram domains at perimeter firewall
Add-NetFirewallRule -DisplayName "Block Telegram" -Direction Outbound -RemoteAddress "149.154.167.0/24" -Action Block

Cloud Security Posture Management

  • Configure Google Workspace or Microsoft 365 to alert on sharing of image files from non‑corporate accounts.
  • Use cloud access security brokers (CASBs) to scan files in transit for steganographic anomalies (though LSB is difficult to detect automatically).

4. Advanced Steganalysis with AI and Machine Learning

Recent research demonstrates that supervised and unsupervised ML models can detect LSB modifications with high accuracy when trained on statistical differences between clean and stego‑images. For defenders, tools like StegX (AES‑256‑GCM encryption + non‑linear LSB) and differential privacy enhancements are being developed to both hide and detect hidden data.

Practical ML detection approach:

 Conceptual feature extraction for LSB steganalysis
import numpy as np
from PIL import Image

def extract_lsb_features(image_path):
img = Image.open(image_path).convert('L')  Grayscale
pixels = np.array(img).flatten()
lsb_hist = [np.sum(pixels & 1 == i) for i in range(2)]
 Calculate chi-square statistic
expected = len(pixels) / 2
chi_square = np.sum((lsb_hist - expected)2 / expected)
return chi_square  Low values indicate possible LSB embedding

What Undercode Say:

  • Cloud trust is now an attack surface. Attackers abuse Google Drive and GitHub precisely because security tools rarely flag traffic to these legitimate domains. Organisations must apply the same scrutiny to cloud storage as they do to unknown websites.
  • Fileless execution requires behavioural detections, not signature updates. The OilRig campaign uses memory‑only payloads and legitimate Windows binaries (csc.exe, AppVStreamingUX.exe). Effective defence requires EDR rules that detect anomalous process relationships and parent‑child behaviours.
  • Steganography is no longer an exotic tradecraft. OilRig’s use of LSB in Google Drive images signals that hiding data in plain sight is now a mainstream APT technique. Security teams must integrate steganalysis tools into incident response workflows and consider network‑level anomalies (e.g., image downloads followed by Telegram traffic) as suspicious.

Prediction

This campaign marks the first documented use of LSB steganography inside cloud‑hosted images for C2 configuration delivery. Expect rapid adoption by other APT groups and cybercriminal gangs. Future variants will likely embed full malware payloads inside video files, audio streams, or even document metadata stored on OneDrive, Dropbox, and Box. Defenders will need to move beyond simple hash‑based blocking toward behaviour‑driven detection that correlates seemingly innocuous events—an Excel macro, a `csc.exe` compilation, an image download, and a Telegram API call—into a coherent attack chain.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky