Tuesday, April 22, 2025
HomeBackdoorAPT15 Hackers Using Steganography Technique to Drop Okrum Backdoor Via PNG...

APT15 Hackers Using Steganography Technique to Drop Okrum Backdoor Via PNG File to Evade Detection

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a previously unseen malware called Okrum that distributed from APT15 threat group via a hidden PNG file with steganography technique to evade detection.

APT15 threat group also known as Ke3chang has a long history of its malicious activities since 2010, and it was initially reported in 2013 during their campaign activity attack organization in Europe.

Okrum backdoor initially detected in December 2016 that targets various countries such as Slovakia, Belgium, Chile, Guatemala and Brazil and is believed to be operating out of China.

- Advertisement - Google News

Okrum backdoor initially detected in December 2016 that targets various countries such as Slovakia, Belgium, Chile, Guatemala Brazil and is believed to be operating out of China.

The APT group continues to be active in 2019 to attack the same type of target but were using different malicious toolsets to compromise them.

Okrum has a similar modus operandi as previously documented Ke3chang (APT15)malware family with a basic set of backdoor commands.

Okrum Distribution and infection vector By APT15

Threat actors from APT15 hiding the okrum payload within a PNG file and infect the victim’s machine using steganography technique stay unnoticed and evade detection.

Attackers tried to hide malicious traffic with its C&C server within the normal traffic by registering the legitimate domain names.

Okrum backdoor installed and loaded by 2 different components which is frequently changed by malware authors to avoid detection.

According to ESET research, “Okrum is only equipped with basic backdoor commands, such as downloading and uploading files, executing files and shell commands. Most of the malicious activity has to be performed by typing shell commands manually, or by executing other tools and software”

“Researchers believe that the combination of simple backdoor and external tools fully accommodates their needs while being easier to develop, but it may also be an attempt to evade behavioral detection.”

Along with this, researchers discovered some of the external tools such as keylogger, tools for dumping passwords, or enumerating network sessions.

Based on the telemetry data, Threat actors employed various anti-emulation and anti-sandbox technique to avoid detection and it mainly targeting Slovakia, Belgium, Chile, Guatemala, and Brazil, Slovakia.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Also Read:

Chinese APT’s New Malware MirageFox Launch Cyber Attack on Government & Military Sectors

Hackers using steganography to Drop the Powload Malware & Hide Their Malvertising Traffic

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

TP-Link Router Vulnerabilities Allow Attackers to Execute Malicious SQL Commands

Cybersecurity researchers have uncovered critical SQL injection vulnerabilities in four TP-Link router models, enabling...

Faster Vulnerability Patching Reduces Risk and Lowers Cyber Risk Index

Trend Micro's Cyber Risk Exposure Management (CREM) solution has highlighted the critical role that...

Malicious npm Packages Target Linux Developers with SSH Backdoor Attacks

In a sophisticated onslaught targeting the open-source ecosystem, reports have emerged detailing several malicious...

Samsung One UI Vulnerability Leaks Sensitive Data in Plain Text With No Expiration!

A glaring vulnerability has come to light within Samsung's One UI interface: the clipboard...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Latest Lumma InfoStealer Variant Found Using Code Flow Obfuscation

Researchers have uncovered a sophisticated new variant of the notorious Lumma InfoStealer malware, employing...

North Korean IT Workers Use Real-Time Deepfakes to Infiltrate Organizations Through Remote Jobs

A division of Palo Alto Networks, have revealed a sophisticated scheme by North Korean...

Hackers Claim to Sell ‘Baldwin Killer’ Malware That Evades AV and EDR

A notorious threat actor has allegedly begun selling “Baldwin Killer,” a sophisticated malware toolkit...