A few days ago, Peter Gramantik from our research team found a very interesting backdoor on a compromised site. This backdoor didn’t rely on the normal patterns to hide its content (like base64/gzip encoding), but stored its data in the EXIF headers of a JPEG image. It also used the exifreaddata and preg_replace PHP functions to read the headers and execute itself.
Now, that's clever. Similar to hiding malware on the metadata of PDF documents.