Stealthy Malware Campaign with Advanced Obfuscation
Threat hunters have disclosed details of a new, stealthy malware campaign dubbed DEAD#VAX that employs sophisticated tradecraft and clever abuse of legitimate system features to bypass traditional detection mechanisms and deploy AsyncRAT (a remote access trojan).
The attack leverages IPFS-hosted VHD files, extreme script obfuscation, runtime decryption, and in-memory shellcode injection into trusted Windows processes—never dropping a decrypted binary to disk.
AsyncRAT Capabilities
AsyncRAT is an open-source malware that provides attackers with extensive control over compromised endpoints, enabling:
- Keylogging and screen capture
- Webcam monitoring
- Clipboard monitoring
- File system access
- Remote command execution
- Persistence across reboots
- Surveillance and data collection
Attack Chain Details
The infection sequence begins with a phishing email delivering a Virtual Hard Disk (VHD) hosted on the decentralized InterPlanetary Filesystem (IPFS) network. The VHD files are disguised as PDF files for purchase orders to deceive targets.
The multi-stage campaign leverages:
- Windows Script Files (WSF) for initial execution
- Heavily obfuscated batch scripts for intermediate payloads
- Self-parsing PowerShell loaders to deliver encrypted shellcode
- In-memory execution to avoid forensic artifacts
When users open the PDF-looking file, it mounts as a virtual hard drive, triggering the infection chain.
Detection Challenges
The campaign's effectiveness lies in its minimal disk footprint and use of trusted Windows processes for shellcode injection. This approach significantly reduces the likelihood of traditional endpoint detection and response (EDR) systems identifying the threat.
TL;DR
- DEAD#VAX campaign uses IPFS-hosted VHD phishing files to deploy AsyncRAT- Attack employs extreme obfuscation and in-memory execution to evade detection
- AsyncRAT provides extensive remote access capabilities and persistence
- Infection chain uses legitimate Windows features and trusted processes
- No decrypted payloads written to disk, minimizing forensic evidence