DNV details ‘SteganoAmor’ malware campaign used against Iranian oil and gas traders, extends to maritime operators

The campaign began with phishing emails using a newly registered domain, vaproum.biz, impersonating legitimate persons and businesses present in Iran, including a Swiss-based engineering company. These emails contained zip file attachments with embedded JavaScript-based multi-stage downloaders. After the recipient opened the attachment, the malware execution began. Once executed, the script retrieved a JPG image hosted on archive.org. This image contained a hidden payload, which was decoded and executed directly in memory, thereby bypassing detection.

DNV added that this technique, named ‘SteganoAmor,’ leverages steganography to conceal malicious code within seemingly benign media files. The final delivered payload was a variant of the ‘Agent Tesla’ malware, capable of stealing and exfiltrating data from infected machines. The ‘SteganoAmor’ method was observed in a limited number of campaigns from March to May 2025 that also shared similarities with reported attacks from 2024.

Furthermore, the executable code from the jpg is loaded directly into memory to avoid detection. The code supports persistence through scheduled tasks and arbitrary command and control functions. The remote connection is to aguout12.lovestoblog.com. The final delivered malware in this case appears to be a variant of ‘Agent Tesla.’

To read the complete article see: Industrial Cyber

Enjoy outstanding benefits, work with incredible people, and contribute to a mission that truly matters.