HackUSU is a 24-hour hackathon hosted annually at Utah State University. The event spans multiple categories — including game development, AI/ML, and my personal favorite: cyber. This year, I teamed up with three fellow students to build a proof-of-concept command-and-control (C2) and remote-access tool (RAT) that combined steganography and encryption to hide malicious traffic in plain sight. Offensive projects very rarely claim the podium at hackathons, but our aim was to learn and experiment rather than compete for a win. Plus it was 4 full meals for a $15 registration fee, hard to say no to as a college student.
An Unexpected Boost
We arrived with only a loose concept in mind. During the keynote, the Cyber prompt turned out to be detecting and decoding malicious traffic hidden via steganography on social media platforms like Instagram. The moment we heard that challenge, we exchanged thrilled glances and got right to work.
I had some experience with image steganography, having written a simple tool a few weeks prior. Embedding plaintext into the least significant bits (LSBs) of a PNG is comparatively straightforward, especially in Go — it can be done in fewer than 200 lines of code using the right libraries. The real challenge lies in detection and extraction. With dozens of known LSB algorithms for PNG and JPEG, you’d have to hard-code an arsenal of techniques to cover them all. Otherwise, detecting hidden data is tough, and extraction is nearly impossible.
Building Blocks
Go was the logical choice for our 24-hour sprint. Its built-in file-handling libraries, flexibility, and familiarity (at least for me) fit our needs. We split the project into modules, handling PNG and JPEG steganography separately due to their stark differences.
Each module performed statistical analysis on raw binary data to hunt for anomalies, measuring entropy and bit distribution channel by channel. That approach worked well for PNG files. After successfully detecting anomalies with a decent confidence level, I wrote a brute-force LSB extraction algorithm. It permuted through every combination of color channels and bit lengths, then used pattern matching to see if plaintext existed for that permutation. Although this limited us to plaintext detection, it still worked on about 95% of the PNG samples we tested.
JPEG: The Real Challenge
JPEGs, however, are a whole different story. While PNGs store pixel data in straightforward maps of red, green, blue, and alpha channels, JPEGs use spatial transformations and compression methods to reduce file size without sacrificing much visual quality. Had we known in advance how tricky it would be to analyze that data, we might have saved ourselves about seven hours of struggle.
Initially, I tried applying the same LSB detection methods from our PNG module, but they generated so many false positives that the tool became nearly useless. I then experimented with analyzing discrete cosine transform (DCT) coefficients and quantization tables, comparing them to known-clean images. That approach produced a few valid detections, but the noisy nature of JPEG compression made consistent results elusive. By the time the sun rose, I had rewritten the JPEG analysis code at least half a dozen times — still with limited success.
Final Push & Takeaways
Looking back, a machine learning approach — comparing known-clean images to suspected steganographic variants — might have yielded better results. But with only two hours left in the hackathon, there was no time to pivot that drastically. Instead, we tightened up the parts of our code that did work and prepared a demo. We used an external library to scrape images from social media URLs, only to find that these platforms universally compress images into JPEGs, which didn’t play nice with our detection approach.
In spite of the difficulties, our team still placed third in the Cyber category, earning each of us a modest prize and a plaque. Although our final project was far from perfect, I was proud of how much we accomplished in just 24 hours — a testament to what a small group of cybersecurity and data science students can do when they dive headfirst into a challenging idea.
That’s me on the far right, I didn’t think I was that much shorter than the rest of the team..
Looking Ahead
Since the hackathon, I’ve spent some time polishing the codebase for my own closure. It’s not production-ready by any means, but I learned a ton about DevOps, statistical analysis, and, most importantly, the value of a good night’s sleep. If given the chance to do it all again, I would — if only for the thrill of tackling new problems with a passionate team.