Data Obfuscation: Steganography

Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.

ID: T1001.002
Sub-technique of:  T1001
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 15 March 2020
Last Modified: 15 March 2020
Provided by LAYER 8

Procedure Examples

ID Name Description
G0016 APT29

APT29 has used steganography to hide C2 communications in images.[1]

G0001 Axiom

Some malware that has been used by Axiom also uses steganography to hide communication in PNG image files.[2]

S0187 Daserf

Daserf can use steganography to hide malicious code downloaded to the victim.[3]

S0038 Duqu

When the Duqu command and control is operating over HTTP or HTTPS, Duqu uploads data to its controller by appending it to a blank JPG file.[4]


HAMMERTOSS is controlled via commands that are appended to image files.[5]

S0395 LightNeuron

LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.[6]

S0495 RDAT

RDAT can process steganographic images attached to email messages to send and receive C2 commands. RDAT can also embed additional messages within BMP images to communicate with the RDAT operator.[7]

S0633 Sliver

Sliver can encode binary data into a .PNG file for C2 communication.[8]


SUNBURST C2 data attempted to appear as benign XML related to .NET assemblies or as a faux JSON blob.[9][10][11]

S0230 ZeroT

ZeroT has retrieved stage 2 payloads as Bitmap images that use Least Significant Bit (LSB) steganography.[12][13]


ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.


ID Data Source Data Component
DS0029 Network Traffic Network Traffic Content

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[14]