DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files

Threat hunters have uncovered a sophisticated malware campaign dubbed DEAD#VAX that employs advanced evasion techniques to deploy AsyncRAT, a powerful remote access trojan, through an innovative attack chain that bypasses traditional security controls.

The Attack Vector: IPFS-Hosted VHD Files

The infection begins with a phishing email containing a Virtual Hard Disk (VHD) file hosted on the decentralized InterPlanetary Filesystem (IPFS) network. These VHD files are cleverly disguised as PDF documents for purchase orders, designed to deceive unsuspecting targets.

"Using a VHD file is a highly specific and effective evasion technique used in modern malware campaigns. This behavior shows how VHD files bypass certain security controls," the researchers explained.

When victims double-click what appears to be a PDF file, the VHD mounts as a virtual hard drive, presenting a Windows Script File (WSF) that initiates the infection sequence.

Multi-Stage Infection Chain

The campaign employs a complex, multi-stage approach:

1. Environment Detection: The initial batch script performs checks to ensure it's not running in a virtualized or sandboxed environment and verifies necessary privileges
2. Obfuscation: Heavy script obfuscation and runtime decryption techniques are used throughout the chain
3. PowerShell Loader: A self-parsing PowerShell component decrypts embedded payloads
4. Memory Injection: The final AsyncRAT shellcode is injected directly into trusted Windows processes without writing to disk

Advanced Evasion Techniques

The DEAD#VAX campaign demonstrates several sophisticated techniques to avoid detection:

• Fileless Execution: AsyncRAT runs entirely in memory, never appearing as a recognizable executable on disk
• Process Injection: The malware injects into Microsoft-signed Windows processes like RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, and sihost.exe
• Timing Controls: Sleep intervals throttle execution to reduce CPU usage and avoid suspicious rapid Win32 API activity
• Persistence: Scheduled tasks ensure the malware survives system reboots

"Rather than delivering a single malicious binary, attackers now construct multi-stage execution pipelines in which each individual component appears benign when analyzed in isolation," the researchers noted.

AsyncRAT Capabilities

Once deployed, AsyncRAT provides attackers with extensive control over compromised endpoints, including:

• Keylogging and clipboard monitoring
• Screen and webcam capture
• File system access
• Remote command execution
• Persistence mechanisms

Security Implications

The DEAD#VAX campaign represents a significant evolution in malware tactics, demonstrating how attackers are increasingly leveraging:

• Trusted file formats for initial delivery
• Script abuse for execution
• Memory-resident techniques to avoid disk-based detection
• Multi-stage pipelines that complicate analysis

"This shift has made detection, analysis, and incident response significantly more challenging for defenders," the researchers warned.

Protection Recommendations

Organizations should consider implementing the following defensive measures:

1. Email Security: Enhanced phishing detection for VHD and WSF file attachments
2. Process Monitoring: Behavioral detection for suspicious process injection patterns
3. Memory Analysis: Tools capable of detecting in-memory threats and shellcode execution
4. Script Control: Policies limiting PowerShell and script execution in sensitive environments
5. Network Monitoring: Detection of anomalous outbound connections from trusted processes

Conclusion

The DEAD#VAX campaign exemplifies the growing sophistication of modern malware, combining multiple evasion techniques to create a stealthy, resilient threat that challenges traditional security controls. As attackers continue to evolve their tactics, organizations must adopt a multi-layered defense approach that goes beyond signature-based detection to identify and mitigate these advanced threats.

For more information on protecting against fileless malware and advanced persistent threats, consult your security vendor's latest threat intelligence updates and consider implementing advanced endpoint detection and response (EDR) solutions capable of identifying memory-resident threats.