MITRE ATT&CK Technique
Description
Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files. [Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) By the end of 2017, a threat group used <code>Invoke-PSImage</code> to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-05T14:28:16.719Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may use steganography techniques in order to '
'prevent the detection of hidden information. Steganographic '
'techniques can be used to hide data in digital media such as '
'images, audio tracks, video clips, or text files.\n'
'\n'
'[Duqu](https://attack.mitre.org/software/S0038) was an early '
'example of malware that used steganography. It encrypted the '
"gathered information from a victim's system and hid it within "
'an image before exfiltrating the image to a C2 '
'server.(Citation: Wikipedia Duqu) \n'
'\n'
'By the end of 2017, a threat group used\u202f'
'<code>Invoke-PSImage</code>\u202fto hide '
'[PowerShell](https://attack.mitre.org/techniques/T1059/001) '
'commands in an image file (.png) and execute the code on a '
"victim's system. In this particular case the "
'[PowerShell](https://attack.mitre.org/techniques/T1059/001) '
'code downloaded another obfuscated script to gather '
"intelligence from the victim's machine and communicate it "
'back to the adversary.(Citation: McAfee Malicious Doc Targets '
'Pyeongchang Olympics) ',
'external_references': [{'external_id': 'T1027.003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1027/003'},
{'description': 'Saavedra-Morales, J., Sherstobitoff, '
'R. (2018, January 6). Malicious '
'Document Targets Pyeongchang '
'Olympics. Retrieved April 10, 2018.',
'source_name': 'McAfee Malicious Doc Targets '
'Pyeongchang Olympics',
'url': 'https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/'},
{'description': 'Wikipedia. (2017, December 29). '
'Duqu. Retrieved April 10, 2018.',
'source_name': 'Wikipedia Duqu',
'url': 'https://en.wikipedia.org/wiki/Duqu'}],
'id': 'attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:49:20.395Z',
'name': 'Steganography',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.2'}