North Korean Hackers Hide Malware in JPEGs to Evade Detection U.S. Enterprises, Take Note

North Korea’s APT37 is hiding malware in JPEGs to bypass security tools. U.S. firms and agencies must upgrade defenses to detect image-based and fileless attacks.

A disturbing new cyber technique linked to North Korea’s APT37 is putting U.S. companies and federal agencies on high alert. Security experts have uncovered a method where hackers hide malware inside regular-looking JPEG images using a trick called steganography. It’s slick these infected images slip right past antivirus scans and firewalls without raising any red flags. The attack starts with a simple-looking shortcut file (.lnk) that prompts a photo download. But instead of just an image, it quietly delivers encrypted malware that runs directly in memory. It even hides inside trusted apps like Paint or Notepad, leaving no files behind and no obvious trace. It’s a textbook example of a threat hiding in plain sight and it’s alarmingly effective.

Right now, these attacks are mainly hitting South Korean targets but the way they’re built makes them a perfect fit for U.S. networks too, especially in environments that use cloud services, allow BYOD (bring your own device), or still run on older systems. What makes this threat especially dangerous is that it uses trusted platforms like Dropbox and Yandex Disk for command and control. So even if you’ve got filters and firewalls in place, they’re likely to miss it. And since employees are constantly sharing images and shortcut files through cloud drives and email, this kind of attack can quietly sneak through and land right inside your critical systems without anyone noticing.

For U.S. enterprises, financial institutions, healthcare providers, defense contractors anyone dealing with sensitive data the message is simple: don’t assume a .jpg or .lnk file is safe. Steganography isn’t some fringe technique anymore it’s real, and it’s effective. Security teams need to step up. That means using behavior-based EDR tools, watching for unusual app behavior, and training employees to think twice before opening even the most innocent-looking file. Because today’s threats don’t always look like malware. Sometimes, they look like a photo casually shared from the cloud.