Using a technique known as steganography, the Zeus banking malware is hiding a crucial file inside a photo.

Zeus has been one of the most effective pieces of malware to steal banking info as it hijacks login details as a person accesses his account and masks secret transfers in the background.

Jerome Segura, a senior security researcher with Malwarebytes, wrote that this new variant, called ZeusVM, downloads a configuration file that contains the domains of banks that the malware is instructed to intervene in during a transaction. “The malware was retrieving a JPG image hosted on the same server as were other malware components,” Segura wrote.


The suspect image appears to be larger than it should when compared to an identical one in bitmap mode. When decrypted, the file shows the banks targets, including Deutsche Bank, Wells Fargo and Barclays.