Can a JPG File Contain Malware? Uncovering the “Fake Image” Backdoor

Published on 1/4/2026
MD Pabel
Read with ChatGPT
Can a JPG File Contain Malware? Uncovering the "Fake Image" Backdoor

If you are auditing your website’s file manager and stumble upon an image file (like .jpg or .png) that contains strange code instead of a picture, you are likely looking at a hidden backdoor.

Many website owners ask: “Can an image file contain a virus?” or “Why is there code inside my jpg file?”

The short answer is: Yes, hackers hide malicious PHP code inside files named as images to evade detection.

In this guide, we will break down exactly how this malware works, how it executes on your server, and how to clean it up.

What is “Malware in an Image” (Steganography vs. Obfuscation)?

There are two ways hackers use images. One is complex (steganography), where code is hidden inside the pixels of a real image. However, the most common type—and the one often found in compromised WordPress uploads directories—is much simpler and more dangerous.

In this case, the file is not an image at all. It is a text file containing a malicious PHP script, but it has been renamed with a .jpg extension to fool you.

The Evidence

If you look at a suspicious file like toggige-arrow.jpg in a code editor, you will see two red flags:

  1. The File Content: Real images look like random binary noise when opened in a text editor. If you see clear text starting with a hash (e.g., a63a659...|{...), that is a signature of a known PHP Web Shell backdoor.
  2. The Context: If the file is sitting next to an .htaccess file in an uploads folder, this is a major warning sign.

What is "Malware in an Image" (Steganography vs. Obfuscation)?

How Does an Image File Execute as Code?

You might be wondering: “If I visit a .jpg file in my browser, doesn’t it just show a picture? How does it hack my site?”

Under normal circumstances, a web server (like Apache) sees .jpg and serves it as a picture. It does not try to “run” the code inside. To get the malware to execute, hackers use a trick involving the .htaccess file.

The .htaccess Trick

The .htaccess file is a powerful configuration file for web servers. Hackers inject a few lines of code into it that tell the server:

“Treat all files ending in .jpg as PHP files.”

The directive usually looks like this:

AddType application/x-httpd-php .jpg

Once this rule is active, when someone visits yoursite.com/toggige-arrow.jpg, the server doesn’t show an image. Instead, it executes the encrypted code inside the file. This gives the hacker full control over your website to send spam, steal data, or delete files.

The “Include” Method

Alternatively, if they cannot modify .htaccess, they might use a compromised legitimate PHP file on your site to “include” the image:

include('toggige-arrow.jpg');

This forces the server to run the code inside the image file, regardless of the file extension.

Analyzing the Code Payload

The text often seen in these files is obfuscated PHP.

  • The Hash: The long string of numbers and letters at the start often acts as a password. The malware checks if the person accessing the file has the correct “key” (cookie or user agent). If they do, it unlocks the backdoor.
  • The Garbage Text: The massive block of random text is usually Base64 encoded code. When the malware runs, it “decodes” this text into real PHP commands.
  • The Function: This allows the hacker to upload new files, edit your index.php, or inject redirection scripts that send your visitors to scam sites.

How Does an Image File Execute as Code?

How to Detect and Remove Image Malware

If you suspect you have this infection, follow these steps immediately.

1. Check your .htaccess file

Open the .htaccess file located in the same folder as the suspicious image (or in your root public_html folder). Look for lines mentioning .jpg, .png, or AddType.

Action: Delete any lines that force image files to be handled as PHP.

2. Check the File Type

In your cPanel File Manager, try to “View” or “Edit” the image.

  • If it shows a picture: It might be a real image (though still potentially compromised via Exif data).
  • If it shows text/code: It is malware. Delete it immediately.

3. Scan for “Backdoors”

Hackers rarely leave just one file. Search your server for other recent files. Common names for these fake images often look like auto-generated nonsense or attempt to blend in:

  • logo_new.jpg
  • social-icon.png
  • favico.ico (containing code)

4. Update Everything

These hacks usually enter through outdated WordPress plugins or weak passwords. Ensure all plugins and themes are updated to their latest versions.

Conclusion

Finding a file with code inside is a clear indicator that your site security has been breached. The hacker is using a “fake extension” attack combined with server configuration changes to hide their tracks.

By understanding that file extensions are just labels and not guarantees of file type, you can better spot these malicious files and keep your website clean.

Explore Our Security Services

WordPress Malware Removal

Professional WordPress malware removal to clean, secure & restore your hacked site fast — trusted by 2300+ clients.

Custom Website Development

Build a custom, responsive & SEO-optimized website or web app with modern tech — tailored to your business goals.

Fix WordPress Errors

Diagnose and fix WordPress site issues — fatal errors, performance problems, broken layouts, plugin conflicts and more.

About the Author

MD Pabel

MD Pabel

MD Pabel is the Founder and CEO of 3Zero Digital, a leading agency specializing in custom web development, WordPress security, and malware removal. With over 8+ Years years of experience, he has completed more than3200+ projects, served over 2300+ clients, and resolved4500+ cases of malware and hacked websites.

3Zero DigitalLinkedInGitHubLeetCodeHackerRankMediumDev.toX (Twitter)