#005 · Sample Analysis

Darkhotel JPEG Steganography Sample Analysis

Darkhotel is an APT group with an East Asian background. Analysts ran fully static analysis on a suspected sample with AVL Code, reconstructing its multi-stage information-theft attack chain end to end.

Built with AVL Code + the Landi model

SteganalysisJPEGDarkhotelAPTWOW64

Overview

This case puts a 1.3MB JPEG sample attributed to the suspected Darkhotel group through fully static analysis, reconstructing its complete attack chain — JPEG steganography, WinRAR parasitism and multi-stage information theft — and producing IOCs, rules and response playbooks ready for detection, hunting and incident response.

Key results

  • Extracted and reconstructed a 990KB WinRAR executable payload from the JPEG tail
  • Identified the stego key and the JPEG + CRLF + Base64(PE) + padding stego format
  • Dissected the dual persistence mechanism, WOW64 process injection and data-theft pipeline
  • Extracted full IOCs: API imports, PE sections, injected DLLs, archive passwords and more
  • Delivered YARA, SIGMA and network detection rules plus a standardized response workflow

Technical highlights

Precise JPEG boundary location and stego payload extractionChunked Base64 decodingTriple cross-validation of PE identityFully static analysis with zero execution riskPersistence and WOW64 injection behavior reconstructionLotL parasitic strategy identification

Practical value

Detection teams can deploy the YARA/SIGMA rules and IOCs immediately for real-time alerting and blocking; hunting teams can widen coverage using indicators such as anomalous JPEG size, Base64 decoding behavior and unusual WinRAR invocations; and incident responders can fold the packaged response workflow straight into their playbooks.

Artifacts

Session replays & reports are original records in Simplified Chinese · Built with AVL Code + the Landi model