An espionage-focused threat actor has been observed using a steganographic trick to conceal a previously undocumented backdoor in a Windows logo in its attacks against Middle Eastern governments.

Broadcom’s Symantec Threat Hunter Team attributed the updated tooling to a hacking group it tracks under the name Witchetty, which is also known as LookingFrog, a subgroup operating under the TA410 umbrella.

Intrusions involving TA410 – which is believed to share connections with a Chinese threat group known as APT10 (aka Cicada, Stone Panda, or TA429) – primarily feature a modular implant called LookBack.

Symantec’s latest analysis of attacks between February and September 2022, during which the group targeted the governments of two Middle Eastern countries and the stock exchange of an African nation, highlights the use of a new backdoor called Stegmap.

The new malware leverages steganography – a technique used to embed a message (in this case, malware) in a non-secret document – to extract malicious code from a bitmap image of an old Microsoft Windows logo hosted on a GitHub repository.

“Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service,” the researchers said. “Downloads from trusted hosts such as GitHub are far less likely to raise red flags than downloads from an attacker-controlled command-and-control (C&C) server.”

Stegmap, like any other backdoor, has an extensive array of features that allows it to carry out file…