An Iranian state-sponsored hacking group known as OilRig, also identified as APT34 and Helix Kitten, has recently been discovered utilizing images stored on Google Drive to conceal its command-and-control (C2) server configurations. This sophisticated method employs LSB (Least Significant Bit) steganography to embed encrypted data within a PNG file, making detection by standard security tools exceptionally challenging.
Background on OilRig’s Cyber Activities
OilRig, active since 2016, is widely believed to be linked to Iranian intelligence. This cyberespionage group has a history of targeting various organizations across the Middle East, the United States, Europe, and parts of Asia. Their primary focus includes government bodies, financial institutions, energy companies, telecom firms, and chemical enterprises. The main objective of these attacks is to exfiltrate sensitive political, military, and geostrategic information from high-value entities.
Unveiling the Steganographic Technique
Researchers at the 360 Advanced Threat Research Institute uncovered multiple attack samples attributed to OilRig during their routine threat hunting operations. This investigation revealed a sophisticated attack chain integrating phishing tactics, cloud service exploitation, and image steganography to execute a multi-stage espionage campaign. OilRig crafted phishing documents themed around Iran’s social protests to lure victims into inadvertently initiating the infection process.
The attack commenced with a malicious Excel file, titled “Final List_Tehran.xlsm,” designed to appear legitimate and linked to real-world events. It referenced January 1404 in the Iranian calendar, aligning with December 2025 to January 2026, enhancing its credibility. Once victims enabled macros within this document, the infection chain activated stealthily.
Advanced Attack Chain Analysis
OilRig’s attack strategy seamlessly integrated platforms such as GitHub, Google Drive, and Telegram for payload delivery and ongoing command execution. By leveraging widely trusted platforms, they significantly reduced the likelihood of their activities being flagged as suspicious by security systems.
The infection mechanism carefully avoided triggering security alerts at each phase. Upon macro activation, embedded VBA code decoded C# source code within the document’s CustomXMLParts section. Utilizing the Windows compiler csc.exe, it built a malicious loader, AppVStreamingUX_Multi_User.dll, on the victim’s system.
This loader connected to a GitHub repository, downloading a text file “tamiManager.txt,” which, after Base64 decoding, revealed a Google Drive link to an image named “MIO9.png.” Despite appearing normal, this image concealed encrypted C2 configuration data within its least significant bits.
Employing a custom LSB extraction algorithm along with Base64 and XOR decryption, the loader extracted the C2 setup, including a Telegram Bot token, a chat ID, and five module download addresses. These modules facilitated persistence, file manipulation, command execution, and application launch, operating entirely in memory to avoid leaving detectable footprints.
Recommendations for Enhancing Security
To mitigate such threats, security teams should disable macro execution in Office files from untrusted sources and establish network monitoring rules to detect unusual outbound traffic to GitHub or Google Drive. Organizations are also advised to deploy endpoint detection solutions capable of identifying in-memory DLL loading, DLL side-loading, and process injection activities. These measures are crucial to counteract the sophisticated techniques employed in this campaign.
Stay informed by following us on Google News, LinkedIn, and X for more up-to-the-minute cybersecurity updates. Set CSN as a preferred source in Google for continuous insights.
