TL;DR

Key Points

• Detect and block spearphishing emails with steganographically embedded payloads targeting critical infrastructure.
• Harden and monitor FTP/SMTP servers to prevent C2 and data exfiltration via legitimate infrastructure.
• Deploy advanced steganalysis and behavioral analytics in email and endpoint security layers.
• Run sector-specific phishing simulations and update IR playbooks for steganography-based attacks.
• Track evolving TTPs and cross-group infrastructure sharing (Aggah, Blind Eagle).

The story in 60 seconds

TA558, a financially motivated group, has expanded its “SteganoAmor” campaign from Latin American hospitality to global oil, gas, maritime, and industrial sectors. The group uses spearphishing emails with image or text attachments containing steganographically embedded VBS, PowerShell, or RTF payloads, delivering malware like Agent Tesla, Remcos, and LokiBot.

Attackers exploit compromised FTP/SMTP servers for C2 and exfiltration, leveraging legitimate infrastructure to evade detection. The campaign’s reliance on steganography and commodity malware complicates traditional email and endpoint defenses, with a notable uptick in attacks on critical infrastructure in Brazil, Mexico, Iran, Russia, and Turkey.

TA558’s evolving TTPs—shared with groups like Aggah and Blind Eagle—underscore the need for advanced detection, rapid incident response, and sector-specific awareness. The group’s opportunistic targeting of unpatched Office installations and legacy OT/ICS systems increases risk for organizations with outdated defenses.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Why it matters

SOC

• Monitor for inbound emails with image/text attachments containing VBS, PowerShell, or RTF payloads.
• Alert on anomalous FTP/SMTP traffic, especially from legacy or compromised servers.
• Flag execution of scripts or Office files from untrusted sources, especially exploiting CVE-2017-11882.

IR

• Preserve steganographic payloads (images, RTFs) and associated scripts for forensic analysis.
• Triage incidents involving credential theft, C2 via FTP/SMTP, and lateral movement from phishing.
• Document and track infrastructure abuse (compromised mail/file servers).

SecOps

• Enforce advanced content inspection and steganalysis at email and endpoint layers.
• Patch Office vulnerabilities (esp. CVE-2017-11882) and restrict macro/script execution.
• Segment networks to limit exfiltration paths and monitor for unauthorized outbound connections.

Strategic

• Prioritize security investments in steganography detection and phishing resilience.
• Coordinate with sector ISACs and intelligence sharing platforms for cross-group TTPs.
• Update compliance and risk frameworks to address evolving threats to OT/ICS and maritime systems.

See it in your telemetry

Network

• Alert on outbound FTP/SMTP traffic to unknown or suspicious destinations, especially from non-standard hosts.
• Detect anomalous file transfers involving image or text files with high entropy or embedded scripts.
• Monitor for C2 patterns using compromised legitimate infrastructure (e.g., sudden spikes in mail server activity).

Endpoint

• Flag execution of VBS, PowerShell, or RTF files originating from email attachments or downloads.
• Detect Office process spawning scripts or network connections, especially exploiting CVE-2017-11882.
• Identify persistence or credential theft activity linked to commodity malware families (Agent Tesla, Remcos, LokiBot).

High Impact, Quick Wins

• Patch Office and disable macros/scripts by default; block execution of untrusted VBS/PowerShell.
• Deploy steganalysis tools and sandboxing for email attachments; quarantine suspicious files.
• Audit and secure FTP/SMTP infrastructure; enforce strong authentication and outbound filtering.

Research & Attribution

Historical Context

The "SteganoAmor" malware campaign is a global, multi-year operation attributed to the financially motivated threat actor TA558. First observed in 2018, TA558 initially targeted hospitality and tourism organizations in Latin America but has since expanded to a wide range of sectors and geographies, including oil, gas, and maritime industries. The campaign is notable for its extensive use of steganography—embedding malicious code within images and text files—to deliver a variety of malware payloads such as Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm. The campaign’s evolution reflects broader trends in cybercrime, including the use of compromised legitimate infrastructure (FTP/SMTP servers) for command-and-control (C2) and phishing, and the targeting of critical infrastructure sectors for both financial gain and strategic disruption.

Researchers from the Positive Technologies Expert Security Center discovered more than three hundred attacks worldwide, which they confidently attributed to the well-known TA558 group. In the attacks that were studied, the group made extensive use of steganography by sending VBSs, PowerShell code, as well as RTF documents with an embedded exploit, inside images and text files.

This sample employed a combination of various traditional attack tactics, including obfuscated VBScripts and PowerShell scripts, malicious codes embedded in images (steganography), and the exploitation of free image-uploading and text-sharing websites used as payload retrieval infrastructure.