Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz

Nessus Agent Windows Flaw Enables SYSTEM Code Execution

April 27, 2026
Rewterz

HackShyen Claims Targeting Pakistan Critical Infrastructure and Commercial Assets

April 29, 2026

OilRig Hides C2 in Google Drive Image via LSB – Active IOCs

Severity

High

Analysis Summary

The Iranian state-linked threat group OilRig (also known as APT34 or Helix Kitten) has been observed using a highly covert technique to hide its command-and-control (C2) configuration inside a seemingly harmless image file hosted on Google Drive. By leveraging Least Significant Bit (LSB) steganography, the attackers embedded encrypted data within a PNG image, allowing them to bypass traditional security tools that typically inspect files but not pixel-level data. Active since at least 2016, the group is widely believed to be linked to Iranian intelligence and has consistently targeted high-value sectors including government, telecom, energy, finance, and chemical industries across multiple regions.

The campaign, uncovered by analysts, demonstrates a sophisticated multi-stage attack chain combining phishing, cloud service abuse, and fileless malware execution. The initial infection vector was a malicious Excel document titled “Final List_Tehran.xlsm,” crafted around Iran’s social protest themes to increase credibility. The document referenced January 1404 in the Iranian calendar (late Dec 2025–Jan 2026), indicating the attackers aligned their lure with real-world events. Once macros were enabled, the embedded VBA code initiated the attack silently in the background.

Technically, the infection chain is designed for stealth and persistence. The macro decodes hidden C# code from the document and compiles it using the legitimate Windows tool csc.exe, producing a malicious DLL loader. This loader retrieves further instructions from a GitHub repository, which ultimately directs it to download a PNG image from Google Drive. Within this image, the malware extracts encrypted C2 configuration data using LSB steganography, followed by Base64 and XOR decryption. The extracted configuration includes a Telegram bot token and command infrastructure via Telegram, along with multiple modular payloads for persistence, file operations, command execution, and application control all executed directly in memory to evade detection.

To maintain long-term access, the malware establishes persistence using Windows scheduled tasks and continuously communicates with attackers via Telegram, sending heartbeat signals to confirm system availability. The abuse of trusted platforms like GitHub, Google Drive, and Telegram allows malicious traffic to blend in with normal user activity, significantly reducing detection chances. This campaign highlights the increasing sophistication of APT operations, emphasizing the need for strong defenses such as disabling macros from untrusted sources, monitoring unusual outbound traffic to cloud platforms, and deploying advanced endpoint detection solutions capable of identifying in-memory execution and stealthy persistence techniques.

Impact

  • Security Bypass
  • Gain Access

Indicators of Compromise

MD5

  • 717da2804144e9759c4e6409f18b7b4b
  • 07aa715f8a6f56a96476aae0ebca17c7
  • d0d17a50422e3d4a0a50fed0878a47d6
  • 9c0409be11a6c4433896db58e7095464

SHA-256

  • 90aebc9849b659515fd70dde6db717ad457ab2a90522a410d1fd531ca8640624
  • d3bb28307d11214867c570fe594f773ba90195ed22b834bad038b62bf75a4192
  • 59ee007fd17280470724eb8a11ab12a98e85fd2383af3065f5f09a7e1a73f88c
  • c40c94d787f6a35ac1cb4c5f031cf5777b77c79dc3929181badea33aaf177aa7

SHA1

  • 7d44697306143f3bfceba4f347d45ed1f9853087
  • 66dd706145a82dfc9c5908de0feb1c810626c354
  • b4259d3390c5b93a897091990a3379cd26bb3de1
  • 8e61d65ebe8cbea2052862c03d516b7c9b5c5568

Remediation

  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Disable macros in Microsoft Office files, especially those received from external or untrusted sources.
  • Use strong email filtering to detect and block phishing emails and malicious attachments like weaponized Excel files.
  • Monitor outbound traffic to services like Google Drive and GitHub for unusual or suspicious activity.
  • Restrict or closely monitor the use of scripting tools and compilers such as csc.exe and PowerShell to prevent abuse.
  • Deploy advanced endpoint detection solutions to identify in-memory execution, DLL side-loading, and process injection techniques.
  • Implement application whitelisting to block unauthorized or suspicious DLL execution.
  • Regularly audit Windows scheduled tasks to detect persistence mechanisms used by attackers.
  • Monitor network traffic for anomalies, especially communication with external APIs like Telegram.
  • Apply the principle of least privilege so users do not have unnecessary administrative access.
  • Use security tools capable of detecting fileless malware and hidden payloads such as steganography-based threats.
  • Train users to recognize phishing attempts, particularly documents themed around real-world events.
  • Conduct regular threat hunting to identify indicators like Base64 decoding, unusual DLL loading, and hidden data extraction.