TL;DR

Key Points

• Detect and block spearphishing emails with steganographically embedded payloads targeting critical infrastructure.
• Harden and monitor FTP/SMTP servers to prevent C2 and data exfiltration via legitimate infrastructure.
• Deploy advanced steganalysis and behavioral analytics in email and endpoint security layers.
• Run sector-specific phishing simulations and update IR playbooks for steganography-based attacks.
• Track evolving TTPs and cross-group infrastructure sharing (Aggah, Blind Eagle).

The story in 60 seconds

TA558, a financially motivated group, has expanded its “SteganoAmor” campaign from Latin American hospitality to global oil, gas, maritime, and industrial sectors. The group uses spearphishing emails with image or text attachments containing steganographically embedded VBS, PowerShell, or RTF payloads, delivering malware like Agent Tesla, Remcos, and LokiBot.

Attackers exploit compromised FTP/SMTP servers for C2 and exfiltration, leveraging legitimate infrastructure to evade detection. The campaign’s reliance on steganography and commodity malware complicates traditional email and endpoint defenses, with a notable uptick in attacks on critical infrastructure in Brazil, Mexico, Iran, Russia, and Turkey.

TA558’s evolving TTPs—shared with groups like Aggah and Blind Eagle—underscore the need for advanced detection, rapid incident response, and sector-specific awareness. The group’s opportunistic targeting of unpatched Office installations and legacy OT/ICS systems increases risk for organizations with outdated defenses.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Why it matters

SOC

• Monitor for inbound emails with image/text attachments containing VBS, PowerShell, or RTF payloads.
• Alert on anomalous FTP/SMTP traffic, especially from legacy or compromised servers.
• Flag execution of scripts or Office files from untrusted sources, especially exploiting CVE-2017-11882.

IR

• Preserve steganographic payloads (images, RTFs) and associated scripts for forensic analysis.
• Triage incidents involving credential theft, C2 via FTP/SMTP, and lateral movement from phishing.
• Document and track infrastructure abuse (compromised mail/file servers).

SecOps

• Enforce advanced content inspection and steganalysis at email and endpoint layers.
• Patch Office vulnerabilities (esp. CVE-2017-11882) and restrict macro/script execution.
• Segment networks to limit exfiltration paths and monitor for unauthorized outbound connections.

Strategic

• Prioritize security investments in steganography detection and phishing resilience.
• Coordinate with sector ISACs and intelligence sharing platforms for cross-group TTPs.
• Update compliance and risk frameworks to address evolving threats to OT/ICS and maritime systems.

See it in your telemetry

Network

• Alert on outbound FTP/SMTP traffic to unknown or suspicious destinations, especially from non-standard hosts.
• Detect anomalous file transfers involving image or text files with high entropy or embedded scripts.
• Monitor for C2 patterns using compromised legitimate infrastructure (e.g., sudden spikes in mail server activity).

Endpoint

• Flag execution of VBS, PowerShell, or RTF files originating from email attachments or downloads.
• Detect Office process spawning scripts or network connections, especially exploiting CVE-2017-11882.
• Identify persistence or credential theft activity linked to commodity malware families (Agent Tesla, Remcos, LokiBot).

High Impact, Quick Wins

• Patch Office and disable macros/scripts by default; block execution of untrusted VBS/PowerShell.
• Deploy steganalysis tools and sandboxing for email attachments; quarantine suspicious files.
• Audit and secure FTP/SMTP infrastructure; enforce strong authentication and outbound filtering.

AlphaHunt

Ready to level up your intelligence game?

Sign Up!

Research & Attribution

Historical Context

The "SteganoAmor" malware campaign is a global, multi-year operation attributed to the financially motivated threat actor TA558. First observed in 2018, TA558 initially targeted hospitality and tourism organizations in Latin America but has since expanded to a wide range of sectors and geographies, including oil, gas, and maritime industries. The campaign is notable for its extensive use of steganography—embedding malicious code within images and text files—to deliver a variety of malware payloads such as Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm. The campaign’s evolution reflects broader trends in cybercrime, including the use of compromised legitimate infrastructure (FTP/SMTP servers) for command-and-control (C2) and phishing, and the targeting of critical infrastructure sectors for both financial gain and strategic disruption.

Researchers from the Positive Technologies Expert Security Center discovered more than three hundred attacks worldwide, which they confidently attributed to the well-known TA558 group. In the attacks that were studied, the group made extensive use of steganography by sending VBSs, PowerShell code, as well as RTF documents with an embedded exploit, inside images and text files.

This sample employed a combination of various traditional attack tactics, including obfuscated VBScripts and PowerShell scripts, malicious codes embedded in images (steganography), and the exploitation of free image-uploading and text-sharing websites used as payload retrieval infrastructure.

Timeline

• 2018: TA558 activity first observed, primarily targeting hospitality and tourism in Latin America.
• 2022-2023: Expansion of targeting to include industrial, public, electric power, and construction sectors in Latin America, as well as companies in Russia, Romania, Turkey, and beyond.
• 2023-2024: "SteganoAmor" campaign identified, characterized by the use of steganography and a diverse malware arsenal. Notable increase in attacks on oil, gas, and maritime sectors, including Iranian operators.
• April–May 2024: Positive Technologies, ITOCHU Cyber & Intelligence, and F.A.C.C.T. publish technical analyses of the campaign, confirming TA558 attribution and describing global targeting.

The campaign has been codenamed SteganoAmor for its reliance on steganography and the choice of file names such as greatloverstory[.]vbs and easytolove[.]vbs. A majority of the attacks have targeted industrial, services, public, electric power, and construction sectors in Latin American countries, although companies located in Russia, Romania, and Turkey have also been singled out.

Origin

TA558 is a financially motivated cybercrime group, first documented by Proofpoint and later tracked by multiple security vendors. The group is believed to operate out of Latin America, with infrastructure and victimology suggesting a focus on Spanish- and Portuguese-speaking countries. However, the group’s operations have become increasingly global, with evidence of attacks against organizations in the Middle East, including Iran, and in sectors critical to national economies and security.

As originally described by researchers at ProofPoint, TA558 is a relatively small financially motivated cybercrime group that has attacked hospitality and tourism organizations mainly in Latin America, but has also been identified behind attacks on North America and Western Europe.

Countries Targeted

1. Brazil – Consistently the most targeted, with attacks on industrial, energy, and public sectors.
2. Mexico – Frequent campaigns against oil, gas, and maritime operators.
3. Argentina – Targeted for both industrial and public sector attacks.
4. Iran – Recent campaigns have specifically targeted oil, gas, and maritime operators, including traders and port authorities.
5. Russia, Romania, Turkey – Notable increase in attacks on companies in these countries, especially in energy and logistics.

Most of the email messages observed had been sent to Latin America, but a considerable percentage were addressed to companies in Russia, Romania, Turkey, and some other countries. A total of more than 320 attacks targeting the following countries and sectors were discovered.

Sectors Targeted

1. Oil & Gas – Direct targeting of traders, operators, and infrastructure, including in Iran.
2. Maritime/Shipping – Attacks on port authorities, shipping companies, and logistics operators.
3. Industrial/Manufacturing – Broader campaigns against industrial firms, including energy and construction.
4. Public Sector – Government agencies, especially those involved in critical infrastructure.
5. Electric Power – Targeting of utilities and power generation/distribution.

A majority of the attacks have targeted industrial, services, public, electric power, and construction sectors in Latin American countries, although companies located in Russia, Romania, and Turkey have also been singled out.

Motivation

TA558 is primarily financially motivated, seeking to steal credentials, exfiltrate sensitive data, and enable fraud or extortion. The use of commodity malware and steganography is designed to maximize infection rates and evade detection, while the targeting of critical infrastructure sectors suggests an opportunistic approach to high-value targets.

TA558 is a financially motivated cybercrime group primarily targeting hospitality, travel, and related sectors in Latin America and other regions. It is linked to other cybercrime groups, Aggah and Blind Eagle, through shared use of the Crypters AndTools malware packing service and overlapping malware kits and tactics.

Attack Types

• Phishing: Initial access via spearphishing emails with malicious Excel, RTF, or ZIP attachments.
• Steganography: Malicious payloads (VBS, PowerShell, RTF exploits) embedded in images or text files.
• Malware Delivery: Deployment of Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, XWorm, and others.
• Credential Theft & Exfiltration: Use of FTP/SMTP servers for C2 and data exfiltration.
• Living-off-the-Land: Use of legitimate but compromised infrastructure to evade detection.

The group made extensive use of steganography by sending VBSs, PowerShell code, as well as RTF documents with an embedded exploit, inside images and text files. The phishing emails are sent from legitimate-but-compromised SMTP servers to lend the messages a little credibility and minimize the chances of them getting blocked by email gateways.

This sample employed a combination of various traditional attack tactics, including obfuscated VBScripts and PowerShell scripts, malicious codes embedded in images (steganography), and the exploitation of free image-uploading and text-sharing websites used as payload retrieval infrastructure.

Known Aliases

• TA558

Links to Other APT Groups

• Aggah – Linked through shared use of the Crypters AndTools malware packing service and overlapping malware kits and tactics.
• Blind Eagle – Linked through the use of Crypters AndTools and similar malware kits and targeting patterns in Latin America.

Similar Threat Actor Groups

• Odyssey Spider – A financially motivated eCrime actor known for phishing-driven delivery of commodity malware, similar to TA558's tactics.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps

(Subscribers Only)