Tracking Threat Actors Using Images and Artifacts

This report demonstrates a methodology for hunting early-stage delivery artifacts by pivoting on embedded images and Office XML files (styles.xml and [Content_Types].xml) to identify related malicious documents and campaigns. Using VirusTotal, sandbox-dropped artifacts from PDFs, and automated image descriptions, the authors show multiple cases where image and XML reuse revealed samples and IOCs tied to actors such as APT28, Razor Tiger/SideWinder, Gamaredon, and FIN7, and provide hashes and examples to support retrohunting.