LLM Text-in-Text Steganography: Emerging Covert Channel Risks

Recent research highlights a significant advancement in covert communication techniques, demonstrating that Large Language Models (LLMs) are exceptionally proficient at hiding secret messages within seemingly innocuous text. According to Bruce Schneier, this capability for text-in-text steganography allows for the embedding of hidden data while maintaining the natural flow and semantic coherence of the cover text. This development has profound implications for how security teams monitor for data exfiltration and C2 activities.

Covert Channels via Natural Language

Traditional steganography often involves hiding data within image or audio files by manipulating least-significant bits. However, text-in-text steganography has historically been difficult to achieve because natural language is highly sensitive to minor changes. LLMs overcome this limitation by using their vast understanding of linguistic patterns to embed information within the choice of synonyms, sentence structures, or punctuation patterns. The large language model text-in-text steganography research indicates that these models can generate cover text that is indistinguishable from standard human or machine-generated content, even under rigorous statistical inspection.

For an APT, the ability to bypass traditional security controls such as EDR or SIEM by using natural language is a significant advantage. If a compromised host communicates with an external server using LLM-generated text, the traffic may appear to be a legitimate user interacting with a chatbot or a content management system. This effectively hides the TTP used for Lateral Movement or data theft within the noise of daily operations.

How to Detect LLM Steganography in Enterprise Traffic

Identifying these hidden messages requires a shift in defensive strategy. Traditional signature-based detection is ineffective because the cover text does not contain a known IoC. Instead, defenders must look for statistical anomalies. Understanding how to detect LLM steganography involves monitoring for ‘perplexity’ shifts—variations in how predictable the text is relative to a standard model. When a secret message is embedded, the probability distribution of the generated tokens may shift slightly, even if the resulting text remains coherent to a human reader.

Organizations should also be concerned about LLM covert channel data exfiltration occurring via authorized AI tools. As more employees use LLMs for work, the volume of outbound generated text increases. A malicious insider or an external actor could use these tools to leak proprietary information by embedding it in professional emails or reports generated by the model.

Threat Analysis and Mitigation

While this research is currently academic, the history of cybersecurity shows that research-proven methods eventually find their way into the hands of sophisticated threat actors. The use of steganography could theoretically facilitate a Supply Chain Attack where updates or documentation contain hidden instructions for a dormant piece of malware. Furthermore, if an attacker gains Privilege Escalation on a network, they could use LLM-based channels to transmit stolen credentials without triggering volume-based DLP (Data Loss Prevention) alerts.

To mitigate these risks, SOC teams should consider the following actions:

• Entropy Analysis: Implement tools that analyze the entropy and token distribution of outbound text, especially when that text originates from automated systems.
• Zero Trust Architecture: Apply Zero Trust principles to all AI-generated content, treating it with the same level of scrutiny as encrypted traffic.
• Output Filtering: Use secondary, independent LLMs to paraphrase or ‘wash’ outbound text, which can disrupt the hidden encoding without destroying the original meaning of the message.

As the barrier to entry for generating high-quality natural language continues to drop, the potential for covert communication will only grow. Security professionals must remain vigilant as these techniques move from the laboratory to real-world exploitation.