Threat hunters have identified a new campaign named DEAD#VAX that distributes AsyncRAT using sophisticated evasion techniques. The attack chain begins with phishing emails containing VHD files hosted on the InterPlanetary Filesystem (IPFS) network. These VHD files are disguised as PDF purchase orders to trick users into mounting the virtual drives and executing malicious scripts.
The infection progresses through a multi-stage pipeline involving Windows Script Files (WSF), obfuscated batch scripts, and PowerShell loaders. The final payload is an encrypted x64 shellcode injected directly into trusted Windows processes like RuntimeBroker.exe or OneDrive.exe. This fileless approach, combined with environment checks and execution throttling, allows the malware to remain resident in memory while avoiding traditional disk-based detection and forensic reconstruction.
Top comments (0)