As defensive mechanisms and static analysis tools become increasingly sophisticated, the evasion techniques employed to bypass them must evolve in tandem. One of the most fascinating intersections of encoding standards and execution flow is zero-width steganography. This post explores zerow, a proof-of-concept tool that perfectly demonstrates how invisible characters can be weaponized to facilitate fileless execution and bypass traditional code reviews.
The zerow repository is a client-side HTML/JS web utility designed to seamlessly encode executable payloads into zero-width Unicode characters.
The architecture of the tool is straightforward but highly effective. It consists of a web-based obfuscator that handles the encoding process and a lightweight Python decoder (stego_decoder.py) that acts as the binder or executor. The primary function of zerow is to take a raw payload, translate it into an invisible format, and inject it into a seemingly benign text string within a standard application. To the naked eye—and to most rendering engines—the carrier script appears completely normal.
To understand why this works, we have to look at the mechanics of Unicode. Zero-width characters, such as U+200B (zero-width space) and U+200C (zero-width non-joiner), are valid text characters intended for formatting and linguistic nuances. Crucially, they carry no visual footprint in standard text editors, IDEs, or web browsers.
Much like a high-frequency signal hidden beneath the noise floor of an experimental measurement, these characters exist within the underlying data stream but remain completely imperceptible to a human observer. By assigning binary states to these invisible characters (for example, treating U+200B as a '0' and U+200C as a '1'), an attacker can encode entire scripts into the invisible spaces between normal letters. A string that visibly reads as "Hello World" could mathematically contain thousands of hidden characters.
The primary advantage of zero-width steganography is its ability to subvert standard security protocols at multiple layers, making it a potent technique for advanced threat emulation.
Visual Evasion in Code Reviews: During a manual code review, the payload physically cannot be seen. Whether viewed in VS Code, PyCharm, or directly on a platform like GitHub, the source code appears innocent. The human element of security is entirely bypassed.
Subverting Static Analysis: Traditional Antivirus (AV) and static analysis tools rely heavily on signature matching and keyword detection. Security pipelines actively hunt for suspicious imports or function calls like os.system or subprocess. Because the malicious logic in a zerow payload exists solely as a sequence of encoded zero-width Unicode bytes, standard YARA rules targeting those ASCII keywords will silently fail.
Fileless In-Memory Execution: The ultimate goal of this technique is stealth execution. In a Python environment, the benign-looking carrier script imports the stego_decoder module. When the script runs, the decoder silently extracts the hidden binary stream, reconstructs the plaintext payload in memory, and passes it directly to Python's exec() function. Because no secondary executable or script is ever written to the disk, the attack footprint is minimal, often evading standard Endpoint Detection and Response (EDR) platforms.