Darkhotel JPEG Steganography Sample Analysis
Darkhotel is an APT group with an East Asian background. Analysts ran fully static analysis on a suspected sample with AVL Code, reconstructing its multi-stage information-theft attack chain end to end.
Built with AVL Code + the Landi model
Overview
This case puts a 1.3MB JPEG sample attributed to the suspected Darkhotel group through fully static analysis, reconstructing its complete attack chain — JPEG steganography, WinRAR parasitism and multi-stage information theft — and producing IOCs, rules and response playbooks ready for detection, hunting and incident response.
Key results
- Extracted and reconstructed a 990KB WinRAR executable payload from the JPEG tail
- Identified the stego key and the JPEG + CRLF + Base64(PE) + padding stego format
- Dissected the dual persistence mechanism, WOW64 process injection and data-theft pipeline
- Extracted full IOCs: API imports, PE sections, injected DLLs, archive passwords and more
- Delivered YARA, SIGMA and network detection rules plus a standardized response workflow
Technical highlights
Practical value
Detection teams can deploy the YARA/SIGMA rules and IOCs immediately for real-time alerting and blocking; hunting teams can widen coverage using indicators such as anomalous JPEG size, Base64 decoding behavior and unusual WinRAR invocations; and incident responders can fold the packaged response workflow straight into their playbooks.
Artifacts
Session replays & reports are original records in Simplified Chinese · Built with AVL Code + the Landi model
