In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
The technique of hiding malicious code in images is not new. Cybercriminals can modify files to hide scripts and code in email attachments, PDFs, Excel files, PNGs, JPGs, and even in the body of an email.
However, black hat hackers are always making advancements, customizing their attacks, and embedding even more dangerous tools inside images.
Keylogger, 0bj3ctivityStealer, and Lumma Stealer are three of the most common scamming tools in the wild, and malicious code inside images is fast becoming a distribution path for each.
With assistance from the HP Wolf Security Threat Insights Report, Techopedia dives into the technical steps used by black hat hackers to develop malicious images and the risks they pose.
A picture may be worth a thousand words, but there may be problems hiding in the pixels.
Key Takeaways
- Cybercriminals increasingly use images with hidden malicious code to evade detection and deliver malware, using tools like steganography and custom scripts.
- Techniques such as embedding malicious code in an image’s metadata or altering bits of its pixels with Least Significant Bits (LSB) tools are widely accessible and simple to use, driving this trend.
- HP Wolf Security’s report highlights the use of malicious images in phishing campaigns, GitHub repositories, and legitimate websites like the Internet Archive.
- Hidden code can cause severe breaches by deploying spyware, stealers, and malware, impacting personal, corporate, and governmental security.
How Hackers Hide Malicious Code in Images
But how exactly do black hat hackers hide code in images? The steps and details of each step will vary slightly depending on the threat campaign being developed.
However, most attackers go through the following process to hide their threat code in an image:
1. Selecting The Right Image
A key step for black hat hackers is choosing the right image for the job. The image must not only look innocuous (e.g., a JPEG or PNG file) but also be selected and tailored specifically for the type of cyberattack that threat actors have in mind.
For example, if a threat campaign plans to send phishing emails, the images selected match those usually sent via email. On the other hand, if attackers are building a phishing website, the image might be a header or a downloadable asset.
But there is no general rule, and black hats get creative. For example, as shown in the image below, HP Wolf Security found a PowerShell code hidden in an image that triggered the download of another malicious image hosted in the Internet Archive (see the first line of the code below).
This example demonstrates hackers’ many possibilities and combinations when using this technique.
There is a rise in malicious images hosted on legitimate websites like The Internet Archive and GitHub.
Techopedia has previously explored how cybercriminals have targeted The Internet Archive and how hackers use fake GitHub repositories to host their wares.
2. The Right Steganography Tool
Steganography tools are simple and lightweight software applications that allow users to embed hidden data within files like images, audio, or text. They are designed to conceal data effectively without raising suspicion.
Using specialized steganography tools, hackers embed malicious code into the image. These tools allow data to be hidden within the image’s pixel structure without visibly altering its appearance.
Hackers can find open-source steganography tools on GitHub or other development platforms. A talented hacker can also code their tool from scratch using C++, Java, other programming languages, or even artificial intelligence.
3. Encoding Techniques: Metadata vs. Least Significant Bits
Hackers can use different techniques to hide data in images. Malicious code can be hidden in the image file’s metadata or through another method known as Least Significant Bits (LSB). These are the two most popular methods, with LSB being the more sophisticated.
LSB tools modify the bits of the least essential pixels of an image. By only changing the least significant bits, the integrated code remains completely hidden, and the image does not appear modified to the victim.
In both techniques, black hats strive for the image to be maliciously functional while visually identical to its original form.
4. Connecting the Image to the Attackers’ Infrastructure
The end goal for cybercriminals is, of course, installing stealers and spyware on PC environments.
The malware identified in these campaigns include VPN Keylogger, 0bj3ctivityStealer, and Lumma Stealer. But malware is not fully integrated into the images: instead the images usually act as an initial stage of an attack, unpacking and executing the malware. Images might also be coded to force the download of more malware resources or run malicious scripts.
These modified images can redirect users to phishing websites and trigger fake notifications.
In one notable campaign, identified in the HP Wolf Security report, an image is coded to exploit a known vulnerability — the Microsoft Office’s Equation Editor CVE2017-11882, where Microsoft Office can fail to properly handle objects in memory, allowing attackers to run arbitrary scripts.
Black hat hackers will test the coded images to ensure they act as expected, look legitimate, and connect efficiently to the attackers’ infrastructure.
Techopedia ran a scan on VirusTotal for one of many fake sites identified in the HP Wolf Security report and found that only 20 of 92 security vendors flagged the site as hosting the dangerous Lumma Stealer.
5. Distribution of Malicious Images
HP Wolf Security’s findings coincide with the trends Techopedia has been following for the past months. These include hosting malware on legitimate sites like GitHub repositories, phishing emails or social media campaigns, and fake download websites, which are the leading techniques used to distribute malware.
As shown in the image below, one black hat hacker developed a malicious GitHub repository that impersonates a spoofer software to distribute the Lumma Stealer.
Spoofer software is popular among gamers and is used to conceal serial numbers and physical addresses to bypass security controls. Similarly, fake software downloads and software cracks are typical lures.
What Types of Tools Do Black Hat Hackers Use to Hide Code in Images?
Based on the HP Wolf Security Threat Insights Report, it is unlikely that tools like Pillow (a Python library that allows users to process images) or pyexiv2 were explicitly used by the attackers in their campaign. These libraries are common in the ethical hacking community but are not optimized for malicious activities.
Based on the techniques mentioned in the report, the following tools were more likely used in the campaign:
- Steghide: A well-known tool for embedding hidden data into image files.
- OpenStego: Another popular open-source steganography tool that allows data to be concealed in images or other file types.
- Custom Scripts: Attackers often create their own steganography scripts in Python, C++, or other languages.
- Hackers can also use generative AI to develop malicious code in HTML Smuggling.
As shown in the image below, OPSWAT identified concealed code in an image used in an HTML Smuggling attack in April 2024.
While HTML Smuggling and hidden code in images are not considered the same technique, both techniques share common ground, techniques, and objectives.
How Dangerous Can Malicious Images Be?
When a victim downloads and interacts with an infected image, downloads, opens or runs these files, the hidden code automatically triggers a domino effect that, if successful, culminates with the breach of your digital environment.
Once a stealer is installed on a device, it targets system information, browser cookies, tokens, credentials, and passwords. It will also often try to access your e-wallets and finance and banking accounts.
In contrast, if the image is coded to load spyware, then the breached device connects with an attacker-controlled C2 server, where it sends whatever information the hacker wants to access.
This can include but is not limited to screen grabs and screen recordings, live or recorded audio, phone calls, live video, meetings, sensitive data, folders and files, keystroke recordings, and more.
Stealers and spyware malware have also become very good at avoiding detection. This means victims might not realize anything is wrong with their computer until it’s too late and the damage is done.
The Bottom Line
Malicious code hidden in images should be considered extremely dangerous because it can breach systems and damage individuals, companies, governments, and organizations.
Using images to conceal malicious code has become a trend that deserves attention. This technique is stealthy and effective and increases attack success rates.
Usually used as triggers to connect a device to the attackers’ infrastructure or load malware, this technique is on the rise because the tools are widespread and accessible and can be customized to exploit very specific vulnerabilities.
From phishing emails to fake sites to malicious repositories, we expect black hat hackers to continue developing and using threat images to launch their cyberattacks.
FAQs
Are maliciously coded images a Zero-Click attack?
Why do hackers hide malware in images?
How much data can be hidden in an image?
References
- Threat Insights Report January 2025 (HP Wolf Security)
- Security Update Guide – Microsoft Security Response Center (Microsoft)
- GitHub – python-pillow/Pillow: Python Imaging Library (Fork) (GitHub)
- GitHub – LeoHsiao1/pyexiv2: Read and write image metadata, including EXIF, IPTC, XMP, ICC Profile. (GitHub)
- How Base64 Encoding Opens the Door for Malware (OPSWAT)
