Stegano Exploit Kit (EK), also referred to as "Astrum," was discovered by ESET researchers in October 2016 targeting users in Canada, Britain, Australia, Italy, and Spain, likely chosen based on the advertising networks the perpetrators could abuse. In the latest campaign, the exploit kit spreads via malvertising by delivering malicious code hidden in the pixels of PNG images used for banner ads. The “Stegano” name comes from the word steganography – the technique of hiding content inside other content. The malicious code redirects users to an intermediary URL where the host server filters users. The server is currently only accepting connections from Internet Explorer as it exploits the CVE-2016-0162 vulnerability, allowing remote attackers to determine the existence of files via JavaScript code. The exploit enables the server to determine if antivirus software is present, at which point it would drop the connection. If the server determines the target is valuable, it redirects the user to the final stage of infection. The EK uses three Adobe Flash vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117) to attack the user’s device and force the download and launch of various malware strains. The Stegano EK has delivered the Ursnif and Ramnit banking Trojans, but can easily be modified to deliver more damaging malware, such as ransomware. Earlier versions of the exploit kit were seen in 2014 targeting Dutch users and in 2015, targeting users in the Czech Republic.


  • December 2016: Stegano exploit kit spreads by hiding in pixels of malicious ads. (ESET)
  • May 2017: In March, Stegano began using a Microsoft information disclosure vulnerability, CVE-2017-0022, to determine if certain antivirus was running on the affected Machine. In April, it was updated again with an anti-replay feature designed to abuse the Diffie-Hellman key exchange, preventing security researchers from obtaining Stegano's secret key used to encrypt and decrypt its payloads. (Trend Micro)
  • June 2017: AdGholas group is using the Stegano EK in a malvertising campaign to infect users with the Mole ransomware, a variant of CryptFile2. (Proofpoint)

Technical Details

  • ESET provides technical details on the Stegano exploit kit, here.

One example of the Stegano Exploit Kit. Image Source: ESET