THERE have been reports of threat actors using a WAV file as a vector for malware. It’s a proper .wav file, but they didn’t use staganography; the WAV will play with only noise because the bytes that encode the sound have been replaced with the BASE64 representation of the payload. The BASE64-decoded payload is an XOR-encoded PE file, allowing a known-plaintext attack to locate the DOS header with the xor-kpa[.]py tool.
The XOR key was found, enabling the decoded PE file to be dumped and the MZ header at position 0x08 to be seen, with a bit further down the DOS header used in the known-plaintext-attack. Didier Stevens notes that his pecheck[.]py tool can extract and analyse the sample linked to VirusTotal. The diary entry was Published on 21 April 2026.