The first ZeusVM sample i've seen using steganography was the 21 November 2013.
The IP of the C&C have Russian origin: 220.127.116.11
A Sutra TDS who redirect on Nuclear Exploit pack was pushing the payload, Roman of abuse.ch blacklisted 18.104.22.168 one month later on his Zeus tracker.
The first guy who publicly wrote about ZeusVM change is probably Jerome Segura of Malwarebytes.
Actually the latest version i've saw in the wild is 22.214.171.124, and if you want a hash: e4c31d18b92ad6e19cb67be2e38c3bd1 (sample is fresh of today)
Let's have a look on the first server that i've see now... 126.96.36.199.
Pony, Multilocker, Mailers, Grum and an older version of ZeusVM (without steganography) was also hosted on this server but that not the topic.
The filename of login scripts and ZeusVM configs were hardnamed in russian, like:
vhodtolkodlyaelfov.php (only elves can enter)
logovoelfov.php (elf's den)
domawniypitomec.php (domestic animal)
larecotkryt.php (the chest is open)
And so on.. overall the panel design seem back to the original zeus style (not like the previous 'generation' of ZeusVM with casper)
Now, for decoding those ZeusVM images, as described by Jerome, you just need to strip the image and do the following: Base64+RC4+VisualDecrypt+UCL Decompress
Here are some 'malicious' image from 188.8.131.52:
Some configs was done for tests:
And some wasn't for test, targeting banks with MiTB.
Malicious code injection, on a ZeusVM botnet targeting France:
Nowadays more actors start to use ZeusVM, like the group who was using the 'private' version of Citadel 184.108.40.206 and the group who was targeting Japan.
Both switched on ZeusVM as alternative of Citadel.
You can find the samples related to 220.127.116.11 with config and decoded here:
Some other ZeusVM samples (not related to 18.104.22.168):