Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files

The Hacker News by The Hacker News
February 4, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananFeb 04, 2026Malware / Endpoint Security

Threat hunters have disclosed details of a new, stealthy malware campaign dubbed DEAD#VAX that employs a mix of “disciplined tradecraft and clever abuse of legitimate system features” to bypass traditional detection mechanisms and deploy a remote access trojan (RAT) known as AsyncRAT.

“The attack leverages IPFS-hosted VHD files, extreme script obfuscation, runtime decryption, and in-memory shellcode injection into trusted Windows processes, never dropping a decrypted binary to disk,” Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News.

AsyncRAT is an open-source malware that provides attackers with extensive control over compromised endpoints, enabling surveillance and data collection through keylogging, screen and webcam capture, clipboard monitoring, file system access, remote command execution, and persistence across reboots.

The starting point of the infection sequence is a phishing email delivering a Virtual Hard Disk (VHD) hosted on the decentralized InterPlanetary Filesystem (IPFS) network. The VHD files are disguised as PDF files for purchase orders to deceive targets.

The multi-stage campaign has been funded to leverage Windows Script Files (WSF), heavily obfuscated batch scripts, and self-parsing PowerShell loaders to deliver an encrypted x64 shellcode. The shellcode in question is AsyncRAT, which is injected directly into trusted Windows processes and executed entirely in memory, effectively minimizing any forensic artifacts on disk.

“After downloading, when a user simply tries to open this PDF-looking file and double-clicks it, it mounts as a virtual hard drive,” the researchers explained. “Using a VHD file is a highly specific and effective evasion technique used in modern malware campaigns. This behavior shows how VHD files bypass certain security controls.”

Presented within the newly mounted drive “E:” is a WSF script that, when executed by the victim, assuming it to be a PDF document, drops and runs an obscured batch script that first runs a series of checks to ascertain if it’s not running inside a virtualized or sandboxed environment, and it has the necessary privileges to proceed further.

Once all the conditions are satisfied, the script unleashes a PowerShell-based process injector and persistence module that’s designed to validate the execution environment, decrypt embedded payloads, set up persistence using scheduled tasks, and inject the final malware into Microsoft-signed Windows processes (e.g., RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, and sihost.exe) to avoid writing the artifacts to disk.

The PowerShell component lays the foundation for a “stealthy, resilient execution engine” that allows the trojan to run entirely in memory and blend into legitimate system activity, thereby allowing for long-term access to compromised environments.

To further enhance the degree of stealth, the malware controls execution timing and throttles execution using sleep intervals in order to reduce CPU usage, avoid suspicious rapid Win32 API activity, and make runtime behavior less anomalous.

“Modern malware campaigns increasingly rely on trusted file formats, script abuse, and memory-resident execution to bypass traditional security controls,” the researchers said. “Rather than delivering a single malicious binary, attackers now construct multi-stage execution pipelines in which each individual component appears benign when analyzed in isolation. This shift has made detection, analysis, and incident response significantly more challenging for defenders.”

“In this specific infection chain, the decision to deliver AsyncRAT as encrypted, memory-resident shellcode significantly increases its stealth. The payload never appears on disk in a recognizable executable form and runs within the context of trusted Windows processes. This fileless execution model makes detection and forensic reconstruction substantially more difficult, allowing AsyncRAT to operate with a reduced risk of discovery by traditional endpoint security controls.”



Source link

The Hacker News

The Hacker News

Next Post
NBC SPORTS SELECTS COMCAST TECHNOLOGY SOLUTIONS FOR ITS PRODUCTION OF MILAN CORTINA 2026 OLYMPIC AND PARALYMPIC WINTER GAMES

NBC SPORTS SELECTS COMCAST TECHNOLOGY SOLUTIONS FOR ITS PRODUCTION OF MILAN CORTINA 2026 OLYMPIC AND PARALYMPIC WINTER GAMES

Recommended.

Here’s the inflation breakdown for February 2025 — in one chart

Here’s the inflation breakdown for February 2025 — in one chart

March 12, 2025
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

May 21, 2026

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio