0bj3ctivityStealer: Stealthy Info-Stealer Uses Steganography & PowerShell to Evade Detection

A recent analysis from the Trellix Advanced Research Center (ARC) has unveiled a sophisticated and stealthy info-stealer known as 0bj3ctivityStealer, revealing a meticulously crafted malware campaign that employs phishing, custom PowerShell loaders, and steganography to evade detection and exfiltrate sensitive user data from a wide array of applications.

The infection begins with a deceptive phishing email bearing the subject “Quotation offer,” accompanied by a low-quality image masquerading as a purchase order. Victims are lured into clicking a “Download” link to access a higher-quality version hosted on MediaFire, which delivers a heavily obfuscated JavaScript file as the first-stage payload.

“The JavaScript script includes more than 3,000 lines of code, of which only 60 belong to the real code, which has been obfuscated to hide the real payload, a PowerShell script,” the report writes.

Once executed, the script uses PowerShell to download a seemingly innocuous JPG image from Archive.org. However, embedded within the image—using steganographic techniques—is the next payload: a .NET DLL loader.

“The script will read each pixel, extracting the RGB values… the buffer will contain the payload along with some junk data,” the report explains.

Despite not being heavily obfuscated, 0bj3ctivityStealer employs several techniques that hinder reverse engineering:

• Base64 string encoding with a simple subtraction cipher
• Randomized function and variable names
• Execution flow obfuscation using junk code and control flow flattening
• Sandbox evasion, detecting virtualized environments and debuggers

“If it detects it is running in such an environment, it will terminate its execution and self-delete,” the report states.

The stealer aggressively harvests a vast spectrum of data from:

• System Info: Device, OS, public IP, hardware specs, installed applications
• Browsers: Passwords, cookies, history, credit cards (Chromium and Gecko-based)
• Messaging Apps: Telegram, Signal, Discord, Element, Pidgin, and more
• Email Clients: Outlook, Windows Messaging, and Foxmail credentials
• Cryptocurrency Wallets: Both native apps and browser extensions like MetaMask, Phantom, and Binance

“The stealer simply gets the files, without trying to decrypt them,” in reference to encrypted messaging applications.

A notable addition is clipboard surveillance—though not fully implemented yet—with potential for cryptocurrency wallet address tampering, a technique commonly seen in financially motivated malware.

Instead of dynamic C2 interaction, 0bj3ctivityStealer opts for unidirectional data exfiltration through Telegram bots.

“The communication is unidirectional… it executes every single feature indefinitely, sending the information to the command and control after each iteration.”

SMTP exfiltration is also supported but was inactive in the analyzed sample.

Telemetry data points to a broad attack surface, with notable detections in the United States, Germany, and Montenegro. The campaign does not appear to be targeted, indicating opportunistic victim selection.

“Most of the detections are concentrated in Government institutions and Manufacturing companies.”

This raises alarms about the potential impact of data breaches in critical infrastructure sectors.

Related Posts:

• JavaScript-Based Malware Exploits Steganography for Covert Data Theft
• StealC V2: ThreatLabz Unveils the Evolution of a Stealthy Info-Stealer and Malware Loader
• SoraAI.lnk: Beware of This New Info-Stealer Hiding as OpenAI’s Sora
• LummaStealer Expands Attack Surface with Fake Booking Sites and CAPTCHA Tricks
• DCRat: Sophisticated RAT Delivered via Phishing Campaign Impersonating Government Entity