{"id":381043,"date":"2025-02-04T15:47:56","date_gmt":"2025-02-04T15:47:56","guid":{"rendered":"https:\/\/www.techopedia.com\/?p=381043"},"modified":"2025-02-04T15:47:56","modified_gmt":"2025-02-04T15:47:56","slug":"how-black-hat-hackers-hide-malicious-code-in-images","status":"publish","type":"post","link":"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images","title":{"rendered":"This Is How Black Hat Hackers Hide Malicious Code in Images"},"content":{"rendered":"<p>The technique of hiding <a href=\"https:\/\/www.techopedia.com\/definition\/4015\/malicious-software-malware\">malicious code<\/a> in images is not new. <a href=\"https:\/\/www.techopedia.com\/definition\/27435\/cybercriminal\">Cybercriminals<\/a> can modify files to hide scripts and code in email attachments, PDFs, Excel files, PNGs, JPGs, and even in the body of an email.<\/p>\n<p>However, black hat hackers are always making advancements, customizing their attacks, and embedding even more dangerous tools inside images.<\/p>\n<p><strong>Keylogger<\/strong>, <strong>0bj3ctivityStealer<\/strong>, and <strong>Lumma Stealer<\/strong> are three of the most common scamming tools in the wild, and malicious code inside images is fast becoming a distribution path for each.<\/p>\n<p>With assistance from the <a href=\"https:\/\/threatresearch.ext.hp.com\/wp-content\/uploads\/2025\/01\/HP_Wolf_Security_Threat_Insights_Report_January_2025.pdf\" target=\"_blank\">HP Wolf Security Threat Insights Report<\/a>, Techopedia dives into the technical steps used by black hat hackers to develop malicious images and the risks they pose.<\/p>\n<p>A picture may be worth a thousand words, but there may be problems hiding in the pixels.<\/p>\n<div class=\"su-note\"  style=\"border-color:#e5e54c;border-radius:3px;-moz-border-radius:3px;-webkit-border-radius:3px;\"><div class=\"su-note-inner su-u-clearfix su-u-trim\" style=\"background-color:#FFFF66;border-color:#ffffff;color:#333333;border-radius:3px;-moz-border-radius:3px;-webkit-border-radius:3px;\">\n<h2><span id=\"key_takeaways\">Key Takeaways<\/span><\/h2>\n<ul>\n<li>Cybercriminals increasingly use images with hidden malicious code to evade detection and deliver malware, using tools like steganography and custom scripts.<\/li>\n<li>Techniques such as embedding malicious code in an image&#8217;s metadata or altering bits of its pixels with Least Significant Bits (LSB) tools are widely accessible and simple to use, driving this trend.<\/li>\n<li>HP Wolf Security&#8217;s report highlights the use of malicious images in phishing campaigns, GitHub repositories, and legitimate websites like the Internet Archive.<\/li>\n<li>Hidden code can cause severe breaches by deploying spyware, stealers, and malware, impacting personal, corporate, and governmental security.<\/li>\n<\/ul>\n<\/div><\/div>\n<div>\n    <section class=\"toc-sticky w-100 bg-white \">\n        <div class=\"toc-sticky__container container\">\n            <div class=\"toc-sticky__open d-flex align-items-end\" data-bs-toggle=\"collapse\"\n                 aria-controls=\"multiCollapse1\"\n                 data-bs-target=\"#multiCollapse1\">\n                <button\n                        class=\"btn btn-primary collapse-action-btn p-1 rounded-circle\"\n                        type=\"button\"\n                >\n                    <i class=\"icon-chevron-up\"><\/i>\n                <\/button>\n                <span id=\"toc-current-title\" class=\"d-flex align-items-center\">\n                    Table of Contents\n                <\/span>\n                <span class=\"toc-main-title-permanent\">Table of Contents<\/span>\n            <\/div>\n            <div\n                    class=\"collapse my-3\"\n                    id=\"multiCollapse1\"\n            >\n                <ol class=\"StepProgress\">\n                                                                        <li class=\"StepProgress-item current\">\n                                                <div class=\"StepProgress-item__group\">\n                            <a data-id=\"key_takeaways\"\n                               onclick=handleScrollToTitle(\"key_takeaways\")\n                               class=\"StepProgress-item__link\" data-level=\"2\">Key Takeaways<\/a>\n                                                    <\/div>\n                                                <\/li>\n                                                                        <li class=\"StepProgress-item\">\n                                                <div class=\"StepProgress-item__group\">\n                            <a data-id=\"how_hackers_hide_malicious_code_in_images\"\n                               onclick=handleScrollToTitle(\"how_hackers_hide_malicious_code_in_images\")\n                               class=\"StepProgress-item__link\" data-level=\"2\">How Hackers Hide Malicious Code in Images<\/a>\n                                                    <\/div>\n                                                <\/li>\n                                                                        <li class=\"StepProgress-item\">\n                                                <div class=\"StepProgress-item__group\">\n                            <a data-id=\"what_types_of_tools_do_black_hat_hackers_use_to_hide_code_in_images\"\n                               onclick=handleScrollToTitle(\"what_types_of_tools_do_black_hat_hackers_use_to_hide_code_in_images\")\n                               class=\"StepProgress-item__link\" data-level=\"2\">What Types of Tools Do Black Hat Hackers Use to Hide Code in Images?<\/a>\n                                                    <\/div>\n                                                <\/li>\n                                                                        <li class=\"StepProgress-item\">\n                                                <div class=\"StepProgress-item__group\">\n                            <a data-id=\"how_dangerous_can_malicious_images_be\"\n                               onclick=handleScrollToTitle(\"how_dangerous_can_malicious_images_be\")\n                               class=\"StepProgress-item__link\" data-level=\"2\">How Dangerous Can Malicious Images Be?<\/a>\n                                                    <\/div>\n                                                <\/li>\n                                                                        <li class=\"StepProgress-item\">\n                                                <div class=\"StepProgress-item__group\">\n                            <a data-id=\"the_bottom_line\"\n                               onclick=handleScrollToTitle(\"the_bottom_line\")\n                               class=\"StepProgress-item__link\" data-level=\"2\">The Bottom Line<\/a>\n                                                    <\/div>\n                                                <\/li>\n                                                                        <li class=\"StepProgress-item\">\n                                                <div class=\"StepProgress-item__group\">\n                            <a data-id=\"faqs\"\n                               onclick=handleScrollToTitle(\"faqs\")\n                               class=\"StepProgress-item__link\" data-level=\"2\">FAQs<\/a>\n                                                    <\/div>\n                                                <\/li>\n                                                                        <li class=\"StepProgress-item\">\n                                                <div class=\"StepProgress-item__group\">\n                            <a data-id=\"references\"\n                               onclick=handleScrollToTitle(\"references\")\n                               class=\"StepProgress-item__link\" data-level=\"2\">References<\/a>\n                                                    <\/div>\n                                                <\/li>\n                                    <\/ol>\n                <div class=\"toc-sticky__container__disperse\"><\/div>\n                <div class=\"toc-sticky__btn-top justify-content-center\">\n                    <button class=\"btn btn-link d-flex align-items-center\" onclick={btnTop()}><p>Show Full Guide<\/p><img decoding=\"async\"\n                                src=\"\/wp-content\/plugins\/table-of-contents\/assets\/images\/arrow-up-circle.svg\"\n                                alt=\"arrow-up-circle\">\n                    <\/button>\n                <\/div>\n            <\/div>\n        <\/div>\n    <\/section>\n    <div class=\"toc-sticky-list\">\n        <div class=\"toc-sticky__container container\">\n            <div class=\"toc-sticky__open d-flex align-items-end\" data-bs-toggle=\"collapse\" aria-controls=\"multiCollapse2\" data-bs-target=\"#multiCollapse2\">\n                <button class=\"btn btn-primary collapse-action-btn p-1 rounded-circle\"\n                        type=\"button\">\n                    <i class=\"icon-chevron-up up\"><\/i>\n                <\/button>\n                <span id=\"toc-current-title\" class=\"d-flex align-items-center\">\n                    Table of Contents\n                <\/span>\n            <\/div>\n            <div  class=\"collapse my-3\" id=\"multiCollapse2\">\n                <ol class=\"StepProgress\">\n                    \t\t\t\t\t \t\t\t\t\t                                                     <li class=\"StepProgress-item current \">\n                                                    <div class=\"StepProgress-item__group\">\n                                <a data-id=\"key_takeaways\"\n                                   onclick=handleScrollToTitle(\"key_takeaways\")\n                                   class=\"StepProgress-item__link\"\n                                   data-level=\"2\">Key Takeaways<\/a>\n                                                            <\/div>\n                                                    <\/li>\n                    \t\t\t\t\t \t\t\t\t\t                                                     <li class=\"StepProgress-item \">\n                                                    <div class=\"StepProgress-item__group\">\n                                <a data-id=\"how_hackers_hide_malicious_code_in_images\"\n                                   onclick=handleScrollToTitle(\"how_hackers_hide_malicious_code_in_images\")\n                                   class=\"StepProgress-item__link\"\n                                   data-level=\"2\">How Hackers Hide Malicious Code in Images<\/a>\n                                                            <\/div>\n                                                    <\/li>\n                    \t\t\t\t\t \t\t\t\t\t                                                     <li class=\"StepProgress-item \">\n                                                    <div class=\"StepProgress-item__group\">\n                                <a data-id=\"what_types_of_tools_do_black_hat_hackers_use_to_hide_code_in_images\"\n                                   onclick=handleScrollToTitle(\"what_types_of_tools_do_black_hat_hackers_use_to_hide_code_in_images\")\n                                   class=\"StepProgress-item__link\"\n                                   data-level=\"2\">What Types of Tools Do Black Hat Hackers Use to Hide Code in Images?<\/a>\n                                                            <\/div>\n                                                    <\/li>\n                    \t\t\t\t\t \t\t\t\t\t\n\t\t\t\t\t\t <span class=\"show_moretoc\">Show Full Guide<\/span>\n\t\t\t\t\t\t \t\t\t\t\t \t\t\t\t\t\t  \t\t\t\t\t                                                      <li class=\"StepProgress-item ms_hidetoc\">\n                                                    <div class=\"StepProgress-item__group\">\n                                <a data-id=\"how_dangerous_can_malicious_images_be\"\n                                   onclick=handleScrollToTitle(\"how_dangerous_can_malicious_images_be\")\n                                   class=\"StepProgress-item__link\"\n                                   data-level=\"2\">How Dangerous Can Malicious Images Be?<\/a>\n                                                            <\/div>\n                                                    <\/li>\n                    \t\t\t\t\t \t\t\t\t\t \t\t\t\t\t\t  \t\t\t\t\t                                                      <li class=\"StepProgress-item ms_hidetoc\">\n                                                    <div class=\"StepProgress-item__group\">\n                                <a data-id=\"the_bottom_line\"\n                                   onclick=handleScrollToTitle(\"the_bottom_line\")\n                                   class=\"StepProgress-item__link\"\n                                   data-level=\"2\">The Bottom Line<\/a>\n                                                            <\/div>\n                                                    <\/li>\n                    \t\t\t\t\t \t\t\t\t\t \t\t\t\t\t\t  \t\t\t\t\t                                                      <li class=\"StepProgress-item ms_hidetoc\">\n                                                    <div class=\"StepProgress-item__group\">\n                                <a data-id=\"faqs\"\n                                   onclick=handleScrollToTitle(\"faqs\")\n                                   class=\"StepProgress-item__link\"\n                                   data-level=\"2\">FAQs<\/a>\n                                                            <\/div>\n                                                    <\/li>\n                    \t\t\t\t\t \t\t\t\t\t \t\t\t\t\t\t  \t\t\t\t\t                                                      <li class=\"StepProgress-item ms_hidetoc\">\n                                                    <div class=\"StepProgress-item__group\">\n                                <a data-id=\"references\"\n                                   onclick=handleScrollToTitle(\"references\")\n                                   class=\"StepProgress-item__link\"\n                                   data-level=\"2\">References<\/a>\n                                                            <\/div>\n                                                    <\/li>\n                                    <\/ol>\n            <\/div>\n            <div class=\"toc-sticky__container__disperse\"><\/div>\n        <\/div>\n    <\/div>\n<\/div>\n\n<script id=\"toc-js\">\n    window.addEventListener(\"DOMContentLoaded\", () => {\n        const header = document.querySelector(\".header_wrapper\");\n\n        const pageLegend = document.querySelector('#multiCollapse1');\n        const pageLegendList = document.querySelector('#multiCollapse2');\n        const pageLegendCollapse = new bootstrap.Collapse(pageLegend, {toggle: document.querySelector(\".toc-sticky\").classList.contains('sticky')});\n\n        \/**\n         * Changing current title\n         *\/\n        (function (pageLegend) {\n            const titleNodes = pageLegend.querySelectorAll('.StepProgress-item__link');\n\n            if (!titleNodes.length) return;\n\n            const titles = [...titleNodes].map((itm, i) => ({\n                id: itm.getAttribute('data-id'),\n                text: itm.textContent,\n                level: itm.getAttribute('data-level'),\n                linkNode: itm,\n                titleNode: document.getElementById(itm.getAttribute('data-id')),\n                index: i,\n            }));\n\n            \/**\n             * Source: https:\/\/www.sitepoint.com\/throttle-scroll-events\/\n             * @param {Function} fn\n             * @param {number} wait\n             * @returns {(function(): void)|*}\n             *\/\n            const throttle = (fn, wait) => {\n                let time = Date.now();\n                return function () {\n                    if ((time + wait - Date.now()) < 0) {\n                        fn();\n                        time = Date.now();\n                    }\n                }\n            }\n\n            const changeCurrentTitle = () => {\n                const documentScrollTop = window.pageYOffset || document.documentElement.scrollTop || document.body.scrollTop || 0;\n                let current = 0;\n\n                \/\/ Title\n                titles.forEach((itm, i) => {\n\t\t\t\t\/\/console.log(itm)\n                    const itmOffsetTop = itm.titleNode ? itm.titleNode.offsetTop - 100 : 0;\n\n                    if (documentScrollTop >= itmOffsetTop) {\n                        document.getElementById('toc-current-title').innerHTML = itm.text;\n                        document.getElementById('toc-current-title').setAttribute('data-current-id', itm.id);\n                        document.getElementById('toc-current-title').setAttribute('data-current-level', itm.level);\n                        current = i;\n                    }\n                })\n\n                \/\/ close all list and open sub list if needed\n                if (document.querySelector(\".toc-sticky\").classList.contains('sticky')) {\n                    document.querySelectorAll('.subList-in-progress').forEach((el) => {\n                        el.children[1].classList.remove('show');\n                        el.getElementsByClassName('icon-chevron-down')[0].classList.remove('up');\n                    });\n                    const currentEl = titles[current];\n                    currentEl.linkNode.classList.add('show');\n                }\n\n                titles.forEach((itm, i) => {\n                    itm.linkNode.parentNode.parentNode.classList.remove('current', 'is-done');\n                    if (current > i) {\n                        itm.linkNode.parentNode.parentNode.classList.add('is-done')\n                    };\n                    if (current === i) {\n                      itm.linkNode.parentNode.parentNode.classList.add('current');\n                    };\n                })\n\n            }\n\n            changeCurrentTitle();\n\n            document.addEventListener('scroll', throttle(changeCurrentTitle, 50));\n        })(pageLegend);\n\n\n        \/**\n         *  Collapse\n         *\/\n        (function (pageLegend, header) {\n            const icon = pageLegend.parentNode.querySelector(\".collapse-action-btn i\");\n\n            const collapseToggle = (status) => (e) => {\n                if (!e.target.isEqualNode(pageLegend)) return;\n\n                icon.classList.toggle(\"up\");\n\n                const containerHeight = pageLegend.getBoundingClientRect().height;\n\n                const showSubtitleContent = () => {\n                    const currentId = document.getElementById('toc-current-title').getAttribute('data-current-id');\n                    const currentLevel = document.getElementById('toc-current-title').getAttribute('data-current-level');\n                    const currentSubTitle = currentLevel == 3 ? document.querySelector(`a[data-id=\"${currentId}\"]`).parentNode.parentNode.parentNode : false;\n\n                    if (!currentSubTitle) return;\n                    new bootstrap.Collapse(currentSubTitle, {toggle: false}).show();\n                }\n\n                showSubtitleContent();\n                if (status === 'shown' && document.querySelector(\".toc-sticky\").classList.contains('sticky') ) {\n                    document.querySelector('html').classList.remove('overflow-hidden');\n                    pageLegend.classList.add('overflow-auto');\n                    pageLegend.style.height = `calc(100vh - ${header.getBoundingClientRect().height + document.querySelector('.toc-sticky__open').getBoundingClientRect().height + 16}px)`;\n                } else if (status === 'hide') {\n                    document.querySelector('html').classList.remove('overflow-hidden');\n                    pageLegend.classList.remove('overflow-auto');\n                    pageLegend.style.height = 'auto';\n                }\n            }\n\n            pageLegend.addEventListener('shown.bs.collapse', collapseToggle('shown'));\n            pageLegend.addEventListener('hide.bs.collapse', collapseToggle('hide'));\n        })(pageLegend, header);\n\n        \/**\n         * Collapse sub-titles\n         *\/\n        (function (pageLegend) {\n            const collapseEls = pageLegend.querySelectorAll('.collapse');\n\n            collapseEls.forEach(function (el) {\n\n                const toggleArrowDirection = function (e) {\n                    if (!e.target.isEqualNode(el)) return;\n\n                    const id = this.getAttribute('id');\n                    document.querySelector(`.collapse-action-btn[data-bs-target=\"#${id}\"] .icon-chevron-down`).classList.toggle('up');\n                }\n                el.addEventListener('shown.bs.collapse', toggleArrowDirection);\n                el.addEventListener('hide.bs.collapse', toggleArrowDirection);\n            })\n        })(pageLegend);\n\n        \/**\n         *  Collapse main title\n         *\/\n        (function (pageLegendList) {\n            const icon = pageLegendList.parentNode.querySelector(\".collapse-action-btn i\");\n\n            const collapseToggle = () => (e) => {\n                if (!e.target.isEqualNode(pageLegendList)) return;\n\n                icon.classList.toggle(\"up\");\n\n            }\n            pageLegendList.addEventListener('shown.bs.collapse', collapseToggle());\n            pageLegendList.addEventListener('hide.bs.collapse', collapseToggle());\n        })(pageLegendList);\n\n        (function (pageLegendList) {\n            const collapseEls = pageLegendList.querySelectorAll('.collapse');\n\n            collapseEls.forEach(function (el) {\n\n                const toggleArrowDirection = function (e) {\n                    if (!e.target.isEqualNode(el)) return;\n\n                    const id = this.getAttribute('id');\n                    document.querySelector(`.toc-sticky-list .collapse-action-btn[data-bs-target=\"#${id}\"] .icon-chevron-down`).classList.toggle('up');\n                }\n                el.addEventListener('shown.bs.collapse', toggleArrowDirection);\n                el.addEventListener('hide.bs.collapse', toggleArrowDirection);\n            })\n        })(pageLegendList);\n\n        \/**\n         * Sticky functionality\n         * Source: https:\/\/stackoverflow.com\/questions\/17893771\/javascript-sticky-div-after-scroll\n         *\/\n        (function (header, pageLegendCollapse) {\n            \/\/ set everything outside the onscroll event (less work per scroll)\n            const target = document.querySelector(\".toc-sticky\");\n            const targetListStatic = document.querySelector(\".toc-sticky-list\");\n\n            if (!target || !header) return;\n\n            const headerHeight = header.getBoundingClientRect().height;\n            const targetHeight = targetListStatic.getBoundingClientRect().height;\n\n            \/\/ -headerHeight so it won't be jumpy\n            const stop = targetListStatic.offsetTop + headerHeight + targetHeight;\n            const docBody =\n                document.documentElement || document.body.parentNode || document.body;\n            const hasOffset = window.pageYOffset !== undefined;\n\n            const applySticky = function () {\n                \/\/ cross-browser compatible scrollTop.\n                const scrollTop = hasOffset ? window.pageYOffset : docBody.scrollTop;\n\n                \/\/ if user scrolls to headerHeight from the top of the target div\n                if (scrollTop >= stop) {\n                    pageLegendCollapse.hide();\n                    \/\/ stick the div\n                    target.classList.add(\"sticky\");\n                    \/\/target.style.marginTop = `${headerHeight}px`;\n                } else {\n                    pageLegendCollapse.show();\n                    \/\/ release the div\n                    target.classList.remove(\"sticky\");\n                    target.style.marginTop = \"\";\n                }\n            }\n\n            applySticky();\n\n            window.addEventListener('scroll', applySticky);\n        })(header, pageLegendCollapse);\n\tjQuery('span.show_moretoc').click(function(){\n\t\tjQuery('span.show_moretoc').hide();\n\t   jQuery('.ms_hidetoc').show();\n\t});\n    });\n\n    \/\/ When the user clicks on the button, scroll to the top of the document\n    function btnTop() {\n        const pageLegend = document.querySelector('#multiCollapse1');\n        document.querySelector('html').classList.remove('overflow-hidden');\n        pageLegend.classList.remove('overflow-auto');\n        pageLegend.style.height = 'auto';\n        window.scrollTo({\n            top: 0,\n            behavior: 'smooth'\n        });\n    }\n\n    const handleScrollToTitle = (id) => {\n        const el = document.getElementById(id);\n        const headerHeightDifference = window.innerWidth < 992 ? -30 : -15;\n        window.scrollTo({\n            top: el.offsetTop - 60 - headerHeightDifference - 10,\n        });\n    }\n<\/script>\n\n<h2><span id=\"how_hackers_hide_malicious_code_in_images\">How Hackers Hide Malicious Code in Images<\/span><\/h2>\n<p>But how exactly do black hat hackers hide code in images? The steps and details of each step will vary slightly depending on the threat campaign being developed.<\/p>\n<p>However, most attackers go through the following process to hide their threat code in an image:<\/p>\n<h3>1. Selecting The Right Image<\/h3>\n<p>A key step for black hat hackers is choosing the right image for the job. The image must not only look innocuous (e.g., a JPEG or PNG file) but also be selected and tailored specifically for the type of <a href=\"https:\/\/www.techopedia.com\/definition\/cyberattack\">cyberattack<\/a> that <a href=\"https:\/\/www.techopedia.com\/definition\/threat-actor\">threat actors<\/a> have in mind.<\/p>\n<p>For example, if a threat campaign plans to send <a href=\"https:\/\/www.techopedia.com\/definition\/4049\/phishing\">phishing<\/a> emails, the images selected match those usually sent via email. On the other hand, if attackers are building a phishing website, the image might be a header or a downloadable asset.<\/p>\n<p>But there is no general rule, and black hats get creative. For example, as shown in the image below, HP Wolf Security found a <a href=\"https:\/\/www.techopedia.com\/definition\/25975\/powershell\">PowerShell<\/a> code hidden in an image that triggered the download of another malicious image hosted in the Internet Archive (see the first line of the code below).<\/p>\n<p>This example demonstrates hackers&#8217; many possibilities and combinations when using this technique.<\/p>\n<figure id=\"attachment_381045\" aria-describedby=\"caption-attachment-381045\" style=\"width: 1200px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" src=\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Malicious-code-smuggled-inside-an-image-can-trigger-downloads-of-more-scripts.jpg\" alt=\"A snippet of PowerShell code displaying web client usage and Base64 string processing for potentially malicious commands\" width=\"1200\" height=\"570\" class=\"wp-image-381045\" srcset=\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Malicious-code-smuggled-inside-an-image-can-trigger-downloads-of-more-scripts.jpg 1400w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Malicious-code-smuggled-inside-an-image-can-trigger-downloads-of-more-scripts-300x143.jpg 300w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Malicious-code-smuggled-inside-an-image-can-trigger-downloads-of-more-scripts-1024x486.jpg 1024w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Malicious-code-smuggled-inside-an-image-can-trigger-downloads-of-more-scripts-768x365.jpg 768w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Malicious-code-smuggled-inside-an-image-can-trigger-downloads-of-more-scripts-130x63.jpg 130w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Malicious-code-smuggled-inside-an-image-can-trigger-downloads-of-more-scripts-104x50.jpg 104w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Malicious-code-smuggled-inside-an-image-can-trigger-downloads-of-more-scripts-83x40.jpg 83w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Malicious-code-smuggled-inside-an-image-can-trigger-downloads-of-more-scripts-1200x570.jpg 1200w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><figcaption id=\"caption-attachment-381045\" class=\"wp-caption-text\">Malicious code smuggled inside an image can trigger downloads of more scripts. Source: HP Wolf<\/figcaption><\/figure>\n<p>There is a rise in malicious images hosted on legitimate websites like The Internet Archive and GitHub.<\/p>\n<p>Techopedia has previously explored how <a href=\"https:\/\/www.techopedia.com\/the-internet-archive-hack-why-is-digital-library-under-constant-attacks\">cybercriminals have targeted The Internet Archive<\/a> and how hackers use <a href=\"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death\">fake GitHub repositories<\/a> to host their wares.<\/p>\n<h3>2. The Right Steganography Tool<\/h3>\n<p>Steganography tools are simple and lightweight software applications that allow users to embed hidden data within files like images, audio, or text. They are designed to conceal data effectively without raising suspicion.<\/p>\n<p>Using specialized steganography tools, hackers embed malicious code into the image. These tools allow data to be hidden within the image&#8217;s pixel structure without visibly altering its appearance.<\/p>\n<p>Hackers can find open-source steganography tools on <a href=\"https:\/\/www.techopedia.com\/definition\/github\">GitHub<\/a> or other development platforms. A talented hacker can also code their tool from scratch using <a href=\"https:\/\/www.techopedia.com\/definition\/26184\/c-plus-plus-programming-language\">C++<\/a>, Java, other programming languages, or even <a href=\"https:\/\/www.techopedia.com\/definition\/190\/artificial-intelligence-ai\">artificial intelligence<\/a>.<\/p>\n<h3>3. Encoding Techniques: Metadata vs. Least Significant Bits<\/h3>\n<p>Hackers can use different techniques to hide data in images. Malicious code can be hidden in the image file&#8217;s <a href=\"https:\/\/www.techopedia.com\/definition\/1938\/metadata\">metadata<\/a> or through another method known as <strong>Least Significant Bits<\/strong> (LSB). These are the two most popular methods, with LSB being the more sophisticated.<\/p>\n<p>LSB tools modify the bits of the least essential pixels of an image. By only changing the least significant bits, the integrated code remains completely hidden, and the image does not appear modified to the victim.<\/p>\n<p>In both techniques, black hats strive for the image to be maliciously functional while visually identical to its original form.<\/p>\n<h3>4. Connecting the Image to the Attackers&#8217; Infrastructure<\/h3>\n<p>The end goal for cybercriminals is, of course, installing stealers and <a href=\"https:\/\/www.techopedia.com\/definition\/spyware\">spyware<\/a> on PC environments.<\/p>\n<p>The malware identified in these campaigns include <strong>VPN Keylogger<\/strong>, <strong>0bj3ctivityStealer<\/strong>, and <strong>Lumma Stealer<\/strong>. But malware is not fully integrated into the images: instead the images usually act as an initial stage of an attack, unpacking and executing the malware. Images might also be coded to force the download of more malware resources or run malicious scripts.<\/p>\n<p>These modified images can redirect users to phishing websites and trigger fake notifications.<\/p>\n<p>In one notable campaign, identified in the HP Wolf Security report, an image is coded to exploit a known vulnerability \u2014 the Microsoft Office&#8217;s Equation Editor <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/advisory\/CVE-2017-11882\" target=\"_blank\">CVE2017-11882<\/a>, where Microsoft Office can fail to properly handle objects in memory, allowing attackers to run arbitrary scripts.<\/p>\n<p>Black hat hackers will test the coded images to ensure they act as expected, look legitimate, and connect efficiently to the attackers&#8217; infrastructure.<\/p>\n<p>Techopedia ran a scan on VirusTotal for one of many fake sites identified in the HP Wolf Security report and found that only 20 of 92 security vendors flagged the site as hosting the dangerous Lumma Stealer.<\/p>\n<figure id=\"attachment_381046\" aria-describedby=\"caption-attachment-381046\" style=\"width: 1200px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" src=\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Techopedias-investigation-on-whether-security-vendors-flagged-fake-sites-as-threats.jpg\" alt=\"Screenshot showing a domain flagged as malicious by security vendors, with a low community score and specific threat analysis details.\" width=\"1200\" height=\"624\" class=\"wp-image-381046 size-full\" srcset=\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Techopedias-investigation-on-whether-security-vendors-flagged-fake-sites-as-threats.jpg 1200w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Techopedias-investigation-on-whether-security-vendors-flagged-fake-sites-as-threats-300x156.jpg 300w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Techopedias-investigation-on-whether-security-vendors-flagged-fake-sites-as-threats-1024x532.jpg 1024w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Techopedias-investigation-on-whether-security-vendors-flagged-fake-sites-as-threats-768x399.jpg 768w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><figcaption id=\"caption-attachment-381046\" class=\"wp-caption-text\">Techopedia&#8217;s investigation on whether security vendors flagged fake sites as threats. Source: Screenshot\/Techopedia<\/figcaption><\/figure>\n<h3>5. Distribution of Malicious Images<\/h3>\n<p>HP Wolf Security&#8217;s findings coincide with the trends Techopedia has been following for the past months. These include hosting malware on legitimate sites like GitHub repositories, phishing emails or social media campaigns, and fake download websites, which are the leading techniques used to distribute malware.<\/p>\n<p>As shown in the image below, one black hat hacker developed a malicious GitHub repository that impersonates a spoofer software to distribute the Lumma Stealer.<\/p>\n<p>Spoofer software is popular among gamers and is used to conceal serial numbers and physical addresses to bypass security controls. Similarly, fake software downloads and software cracks are typical lures.<\/p>\n<figure id=\"attachment_381047\" aria-describedby=\"caption-attachment-381047\" style=\"width: 1200px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" src=\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Spoofer-software-is-popular-to-bypass-security-controls-\u2014-but-can-come-with-malicious-code.jpg\" alt=\"Screenshot of a GitHub README for &quot;Temp-Spoofer-LifeTime&quot; explaining the software's function and usage disclaimer.\" width=\"1200\" height=\"721\" class=\"wp-image-381047\" srcset=\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Spoofer-software-is-popular-to-bypass-security-controls-\u2014-but-can-come-with-malicious-code.jpg 1400w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Spoofer-software-is-popular-to-bypass-security-controls-\u2014-but-can-come-with-malicious-code-300x180.jpg 300w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Spoofer-software-is-popular-to-bypass-security-controls-\u2014-but-can-come-with-malicious-code-1024x615.jpg 1024w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Spoofer-software-is-popular-to-bypass-security-controls-\u2014-but-can-come-with-malicious-code-768x461.jpg 768w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Spoofer-software-is-popular-to-bypass-security-controls-\u2014-but-can-come-with-malicious-code-1200x721.jpg 1200w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><figcaption id=\"caption-attachment-381047\" class=\"wp-caption-text\">Spoofer software is popular to bypass security controls \u2014 but can come with malicious code. Source: Screenshot \/ Techopedia<\/figcaption><\/figure>\n<h2><span id=\"what_types_of_tools_do_black_hat_hackers_use_to_hide_code_in_images\">What Types of Tools Do Black Hat Hackers Use to Hide Code in Images?<\/span><\/h2>\n<p>Based on the HP Wolf Security Threat Insights Report, it is unlikely that tools like <a href=\"https:\/\/github.com\/python-pillow\/Pillow\" target=\"_blank\">Pillow<\/a> (a Python library that allows users to process images) or <a href=\"https:\/\/github.com\/LeoHsiao1\/pyexiv2\" target=\"_blank\">pyexiv2<\/a> were explicitly used by the attackers in their campaign. These libraries are common in the <a href=\"https:\/\/www.techopedia.com\/definition\/10349\/white-hat-hacker\">ethical hacking<\/a> community but are not optimized for malicious activities.<\/p>\n<p>Based on the techniques mentioned in the report, the following tools were more likely used in the campaign:<\/p>\n<div class=\"su-note\"  style=\"border-color:#e5e54c;border-radius:3px;-moz-border-radius:3px;-webkit-border-radius:3px;\"><div class=\"su-note-inner su-u-clearfix su-u-trim\" style=\"background-color:#FFFF66;border-color:#ffffff;color:#333333;border-radius:3px;-moz-border-radius:3px;-webkit-border-radius:3px;\">\n<ul>\n<li><strong>Steghide<\/strong>: A well-known tool for embedding hidden data into image files.<\/li>\n<li><strong>OpenStego<\/strong>: Another popular open-source steganography tool that allows data to be concealed in images or other file types.<\/li>\n<li><strong>Custom Scripts<\/strong>: Attackers often create their own steganography scripts in Python, C++, or other languages.<\/li>\n<li>Hackers can also use <a href=\"https:\/\/www.techopedia.com\/definition\/34633\/generative-ai\"><strong>generative AI<\/strong><\/a> to develop malicious code in HTML Smuggling.<\/li>\n<\/ul>\n<\/div><\/div>\n<p>As shown in the image below, <a href=\"https:\/\/www.opswat.com\/blog\/how-base64-encoding-opens-the-door-for-malware\" target=\"_blank\">OPSWAT<\/a> identified concealed code in an image used in an HTML Smuggling attack in April 2024.<\/p>\n<p>While HTML Smuggling and hidden code in images are not considered the same technique, both techniques share common ground, techniques, and objectives.<\/p>\n<figure id=\"attachment_381048\" aria-describedby=\"caption-attachment-381048\" style=\"width: 1200px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" src=\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Smuggling-code-within-HTML-is-another-way-to-get-malicious-code-onto-an-unsuspecting-client.jpg\" alt=\"A computer screen displaying HTML code with a base64-encoded image source, commonly used for embedding images in web pages.\" width=\"1200\" height=\"719\" class=\"wp-image-381048 size-full\" srcset=\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Smuggling-code-within-HTML-is-another-way-to-get-malicious-code-onto-an-unsuspecting-client.jpg 1200w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Smuggling-code-within-HTML-is-another-way-to-get-malicious-code-onto-an-unsuspecting-client-300x180.jpg 300w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Smuggling-code-within-HTML-is-another-way-to-get-malicious-code-onto-an-unsuspecting-client-1024x614.jpg 1024w, https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Smuggling-code-within-HTML-is-another-way-to-get-malicious-code-onto-an-unsuspecting-client-768x460.jpg 768w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><figcaption id=\"caption-attachment-381048\" class=\"wp-caption-text\">Smuggling code within HTML is another way to get malicious code onto an unsuspecting client. Source: OPSWAT<\/figcaption><\/figure>\n<h2><span id=\"how_dangerous_can_malicious_images_be\">How Dangerous Can Malicious Images Be?<\/span><\/h2>\n<p>When a victim downloads and interacts with an infected image, downloads, opens or runs these files, the hidden code automatically triggers a domino effect that, if successful, culminates with the breach of your digital environment.<\/p>\n<p>Once a stealer is installed on a device, it targets system information, browser cookies, tokens, credentials, and passwords. It will also often try to access your e-wallets and finance and banking accounts.<\/p>\n<p>In contrast, if the image is coded to load spyware, then the breached device connects with an attacker-controlled C2 server, where it sends whatever information the hacker wants to access.<\/p>\n<p>This can include but is not limited to screen grabs and screen recordings, live or recorded audio, phone calls, live video, meetings, sensitive data, folders and files, keystroke recordings, and more.<\/p>\n<p>Stealers and spyware malware have also become very good at avoiding detection. This means victims might not realize anything is wrong with their computer until it&#8217;s too late and the damage is done.<\/p>\n<h2><span id=\"the_bottom_line\">The Bottom Line<\/span><\/h2>\n<p>Malicious code hidden in images should be considered extremely dangerous because it can breach systems and damage individuals, companies, governments, and organizations.<\/p>\n<p>Using images to conceal malicious code has become a trend that deserves attention. This technique is stealthy and effective and increases attack success rates.<\/p>\n<p>Usually used as triggers to connect a device to the attackers&#8217; infrastructure or load malware, this technique is on the rise because the tools are widespread and accessible and can be customized to exploit very specific vulnerabilities.<\/p>\n<p>From phishing emails to fake sites to malicious repositories, we expect black hat hackers to continue developing and using threat images to launch their cyberattacks.<\/p>\n<h2><span id=\"faqs\">FAQs<\/span><\/h2>\n<div class=\"man_faq_sec\" itemscope itemtype=\"https:\/\/schema.org\/FAQPage\"><\/time><section class=\"ms_faq ms_card \" ><div itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\"><div class=\"accordionButton\"><h3 itemprop=\"name\">Are maliciously coded images a Zero-Click attack?<\/h3> <\/div>\n<div class=\"accordionContent\" itemscope itemprop=\"acceptedAnswer\" itemtype=\"https:\/\/schema.org\/Answer\" style=\"display:none;\"><p itemprop=\"text\">No, malicious images are not a zero-click attack \u2014 at least not yet. The malicious images identified in the wild to date can only cause harm if the user\/victim interacts with the image. This means opening the image with vulnerable software, downloading it, or executing the file.<\/p>\r\n                <\/div><\/div><\/section>\n<section class=\"ms_faq ms_card \" ><div itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\"><div class=\"accordionButton\"><h3 itemprop=\"name\">Why do hackers hide malware in images?<\/h3> <\/div>\n<div class=\"accordionContent\" itemscope itemprop=\"acceptedAnswer\" itemtype=\"https:\/\/schema.org\/Answer\" style=\"display:none;\"><p itemprop=\"text\">By hiding malicious code in images, HTML, PNG, PDFs, or JPEGs, hackers can bypass security checks, trick victims more easily, and facilitate distribution.<\/p>\r\n                <\/div><\/div><\/section>\n<section class=\"ms_faq ms_card \" ><div itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\"><div class=\"accordionButton\"><h3 itemprop=\"name\">How much data can be hidden in an image?<\/h3> <\/div>\n<div class=\"accordionContent\" itemscope itemprop=\"acceptedAnswer\" itemtype=\"https:\/\/schema.org\/Answer\" style=\"display:none;\"><p itemprop=\"text\">The amount of data that can be hidden depends on the size of the image and the steganography technique used. A significant amount of data can be concealed if the hacker is skilled.<\/p>\r\n                <\/div><\/div><\/section>\n<div class=\"reference-content\">\n<div class=\"reference-heading reference-content-collapsible-heading\">\n<h2><span id=\"references\">References<\/span><\/h2>\n<\/div>\n<div class=\"reference-content-body\">\n<ol>\n<li><a href=\"https:\/\/threatresearch.ext.hp.com\/wp-content\/uploads\/2025\/01\/HP_Wolf_Security_Threat_Insights_Report_January_2025.pdf\" target=\"_blank\">Threat Insights Report January 2025<\/a> (HP Wolf Security)<\/li>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/advisory\/CVE-2017-11882\" target=\"_blank\">Security Update Guide &#8211; Microsoft Security Response Center<\/a> (Microsoft)<\/li>\n<li><a href=\"https:\/\/github.com\/python-pillow\/Pillow\" target=\"_blank\">GitHub &#8211; python-pillow\/Pillow: Python Imaging Library (Fork)<\/a> (GitHub)<\/li>\n<li><a href=\"https:\/\/github.com\/LeoHsiao1\/pyexiv2\" target=\"_blank\">GitHub &#8211; LeoHsiao1\/pyexiv2: Read and write image metadata, including EXIF, IPTC, XMP, ICC Profile.<\/a> (GitHub)<\/li>\n<li><a href=\"https:\/\/www.opswat.com\/blog\/how-base64-encoding-opens-the-door-for-malware\" target=\"_blank\">How Base64 Encoding Opens the Door for Malware<\/a> (OPSWAT)<\/li>\n<\/ol>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The technique of hiding malicious code in images is not new. Cybercriminals can modify files to hide scripts and code in email attachments, PDFs, Excel files, PNGs, JPGs, and even in the body of an email. However, black hat hackers are always making advancements, customizing their attacks, and embedding even more dangerous tools inside images. [&hellip;]<\/p>\n","protected":false},"author":286688,"featured_media":381049,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_lmt_disableupdate":"no","_lmt_disable":"","om_disable_all_campaigns":false,"footnotes":""},"categories":[585],"tags":[],"category_partsoff":[],"class_list":["post-381043","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-threats"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v24.2 (Yoast SEO v24.5) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>This Is How Black Hat Hackers Hide Malicious Code in Images - Techopedia<\/title>\n<meta name=\"description\" content=\"Black Hats hide malicious code in images to evade detection, spread malware, and launch attacks. Learn how they do it.\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"This Is How Black Hat Hackers Hide Malicious Code in Images\" \/>\n<meta property=\"og:description\" content=\"Black Hats hide malicious code in images to evade detection, spread malware, and launch attacks. Learn how they do it.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images\" \/>\n<meta property=\"og:site_name\" content=\"Techopedia\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/techopedia\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-02-04T15:47:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Black-Hat-Tactics-Hiding-Malicious-Code-in-Images.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"686\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"Ray Fernandez\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@techopedia\" \/>\n<meta name=\"twitter:site\" content=\"@techopedia\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ray Fernandez\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images\"},\"author\":{\"name\":\"Ray Fernandez\",\"@id\":\"https:\/\/www.techopedia.com\/#\/schema\/person\/687890072e5e44867899acd7d6176e6c\"},\"headline\":\"This Is How Black Hat Hackers Hide Malicious Code in Images\",\"datePublished\":\"2025-02-04T15:47:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images\"},\"wordCount\":1747,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.techopedia.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Black-Hat-Tactics-Hiding-Malicious-Code-in-Images.webp\",\"articleSection\":\"\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#respond\"]}],\"copyrightYear\":\"2025\",\"copyrightHolder\":{\"@id\":\"https:\/\/www.techopedia.com\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images\",\"url\":\"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images\",\"name\":\"This Is How Black Hat Hackers Hide Malicious Code in Images - Techopedia\",\"isPartOf\":{\"@id\":\"https:\/\/www.techopedia.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Black-Hat-Tactics-Hiding-Malicious-Code-in-Images.webp\",\"datePublished\":\"2025-02-04T15:47:56+00:00\",\"description\":\"Black Hats hide malicious code in images to evade detection, spread malware, and launch attacks. Learn how they do it.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#primaryimage\",\"url\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Black-Hat-Tactics-Hiding-Malicious-Code-in-Images.webp\",\"contentUrl\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Black-Hat-Tactics-Hiding-Malicious-Code-in-Images.webp\",\"width\":1200,\"height\":686,\"caption\":\"A futuristic digital image showing an abstract blend of binary code subtly hidden within colorful pixelated patterns of a serene landscape\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.techopedia.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity\",\"item\":\"https:\/\/www.techopedia.com\/topic\/4\/cybersecurity\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Threats\",\"item\":\"https:\/\/www.techopedia.com\/topic\/220\/cyber-threats\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"This Is How Black Hat Hackers Hide Malicious Code in Images\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.techopedia.com\/#website\",\"url\":\"https:\/\/www.techopedia.com\/\",\"name\":\"Techopedia\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.techopedia.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.techopedia.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.techopedia.com\/#organization\",\"name\":\"Techopedia\",\"url\":\"https:\/\/www.techopedia.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.techopedia.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/techopedia-light-logo.svg\",\"contentUrl\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/techopedia-light-logo.svg\",\"caption\":\"Techopedia\"},\"image\":{\"@id\":\"https:\/\/www.techopedia.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/techopedia\/\",\"https:\/\/x.com\/techopedia\",\"https:\/\/www.linkedin.com\/company\/techopedia\/\",\"https:\/\/www.youtube.com\/c\/Techopedia\"],\"publishingPrinciples\":\"https:\/\/www.techopedia.com\/about\/editorial-policy\",\"ownershipFundingInfo\":\"https:\/\/www.techopedia.com\/about\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.techopedia.com\/#\/schema\/person\/687890072e5e44867899acd7d6176e6c\",\"name\":\"Ray Fernandez\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.techopedia.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/10\/avatar_user_286688_1698354675-300x300.jpg\",\"contentUrl\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/10\/avatar_user_286688_1698354675-300x300.jpg\",\"caption\":\"Ray Fernandez\"},\"description\":\"Ray is an independent journalist with 15 years of experience, focusing on the intersection of technology with various aspects of life and society. He joined Techopedia in 2023 after publishing in numerous media, including Microsoft, TechRepublic, Moonlock, Hackermoon, VentureBeat, Entrepreneur, and ServerWatch. He holds a degree in Journalism from Oxford Distance Learning and two specializations from FUNIBER in Environmental Science and Oceanography. When Ray is not working, you can find him making music, playing sports, and traveling with his wife and three kids.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/ray-fernandez\/\"],\"knowsAbout\":[\"Senior Technology Journalist\"],\"url\":\"https:\/\/www.techopedia.com\/contributors\/rayfernandez\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"This Is How Black Hat Hackers Hide Malicious Code in Images - Techopedia","description":"Black Hats hide malicious code in images to evade detection, spread malware, and launch attacks. Learn how they do it.","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"This Is How Black Hat Hackers Hide Malicious Code in Images","og_description":"Black Hats hide malicious code in images to evade detection, spread malware, and launch attacks. Learn how they do it.","og_url":"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images","og_site_name":"Techopedia","article_publisher":"https:\/\/www.facebook.com\/techopedia\/","article_published_time":"2025-02-04T15:47:56+00:00","og_image":[{"width":1200,"height":686,"url":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Black-Hat-Tactics-Hiding-Malicious-Code-in-Images.webp","type":"image\/webp"}],"author":"Ray Fernandez","twitter_card":"summary_large_image","twitter_creator":"@techopedia","twitter_site":"@techopedia","twitter_misc":{"Written by":"Ray Fernandez","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#article","isPartOf":{"@id":"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images"},"author":{"name":"Ray Fernandez","@id":"https:\/\/www.techopedia.com\/#\/schema\/person\/687890072e5e44867899acd7d6176e6c"},"headline":"This Is How Black Hat Hackers Hide Malicious Code in Images","datePublished":"2025-02-04T15:47:56+00:00","mainEntityOfPage":{"@id":"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images"},"wordCount":1747,"commentCount":0,"publisher":{"@id":"https:\/\/www.techopedia.com\/#organization"},"image":{"@id":"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#primaryimage"},"thumbnailUrl":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Black-Hat-Tactics-Hiding-Malicious-Code-in-Images.webp","articleSection":"","inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#respond"]}],"copyrightYear":"2025","copyrightHolder":{"@id":"https:\/\/www.techopedia.com\/#organization"}},{"@type":"WebPage","@id":"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images","url":"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images","name":"This Is How Black Hat Hackers Hide Malicious Code in Images - Techopedia","isPartOf":{"@id":"https:\/\/www.techopedia.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#primaryimage"},"image":{"@id":"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#primaryimage"},"thumbnailUrl":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Black-Hat-Tactics-Hiding-Malicious-Code-in-Images.webp","datePublished":"2025-02-04T15:47:56+00:00","description":"Black Hats hide malicious code in images to evade detection, spread malware, and launch attacks. Learn how they do it.","breadcrumb":{"@id":"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#primaryimage","url":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Black-Hat-Tactics-Hiding-Malicious-Code-in-Images.webp","contentUrl":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/Black-Hat-Tactics-Hiding-Malicious-Code-in-Images.webp","width":1200,"height":686,"caption":"A futuristic digital image showing an abstract blend of binary code subtly hidden within colorful pixelated patterns of a serene landscape"},{"@type":"BreadcrumbList","@id":"https:\/\/www.techopedia.com\/how-black-hat-hackers-hide-malicious-code-in-images#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.techopedia.com\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity","item":"https:\/\/www.techopedia.com\/topic\/4\/cybersecurity"},{"@type":"ListItem","position":3,"name":"Cyber Threats","item":"https:\/\/www.techopedia.com\/topic\/220\/cyber-threats"},{"@type":"ListItem","position":4,"name":"This Is How Black Hat Hackers Hide Malicious Code in Images"}]},{"@type":"WebSite","@id":"https:\/\/www.techopedia.com\/#website","url":"https:\/\/www.techopedia.com\/","name":"Techopedia","description":"","publisher":{"@id":"https:\/\/www.techopedia.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.techopedia.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.techopedia.com\/#organization","name":"Techopedia","url":"https:\/\/www.techopedia.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.techopedia.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/techopedia-light-logo.svg","contentUrl":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/techopedia-light-logo.svg","caption":"Techopedia"},"image":{"@id":"https:\/\/www.techopedia.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/techopedia\/","https:\/\/x.com\/techopedia","https:\/\/www.linkedin.com\/company\/techopedia\/","https:\/\/www.youtube.com\/c\/Techopedia"],"publishingPrinciples":"https:\/\/www.techopedia.com\/about\/editorial-policy","ownershipFundingInfo":"https:\/\/www.techopedia.com\/about"},{"@type":"Person","@id":"https:\/\/www.techopedia.com\/#\/schema\/person\/687890072e5e44867899acd7d6176e6c","name":"Ray Fernandez","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.techopedia.com\/#\/schema\/person\/image\/","url":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/10\/avatar_user_286688_1698354675-300x300.jpg","contentUrl":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/10\/avatar_user_286688_1698354675-300x300.jpg","caption":"Ray Fernandez"},"description":"Ray is an independent journalist with 15 years of experience, focusing on the intersection of technology with various aspects of life and society. He joined Techopedia in 2023 after publishing in numerous media, including Microsoft, TechRepublic, Moonlock, Hackermoon, VentureBeat, Entrepreneur, and ServerWatch. He holds a degree in Journalism from Oxford Distance Learning and two specializations from FUNIBER in Environmental Science and Oceanography. When Ray is not working, you can find him making music, playing sports, and traveling with his wife and three kids.","sameAs":["https:\/\/www.linkedin.com\/in\/ray-fernandez\/"],"knowsAbout":["Senior Technology Journalist"],"url":"https:\/\/www.techopedia.com\/contributors\/rayfernandez"}]}},"modified_by":"kseniachapchikova","_links":{"self":[{"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/posts\/381043","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/users\/286688"}],"replies":[{"embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/comments?post=381043"}],"version-history":[{"count":3,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/posts\/381043\/revisions"}],"predecessor-version":[{"id":381051,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/posts\/381043\/revisions\/381051"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/media\/381049"}],"wp:attachment":[{"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/media?parent=381043"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/categories?post=381043"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/tags?post=381043"},{"taxonomy":"category_partsoff","embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/category_partsoff?post=381043"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}