A new Loader-as-a-Service threat called Caminho Loader combines fileless execution, steganography, and cloud abuse to covertly spread malware over multiple regions This article explores loader service threat. . This service, which was first discovered in March 2025 and is thought to have originated in Brazil, conceals.NET payloads inside innocuous-looking image files hosted on reliable platforms.

Once activated, it can compromise compromised systems by deploying a variety of remote access trojans and infostealers, such as REMCOS RAT, XWorm, Katz Stealer, and AsyncRAT. With confirmed victims in Brazil, South Africa, Ukraine, and Poland, the operation targets organizations in South America, Africa, and Eastern Europe. In order to trick users into opening attached archive files, attackers use convincing phishing emails with business themes like invoices, quotations, and shipping notices.

When the victim launches these RAR or ZIP files, obfuscated JavaScript or VBScript files serve as the initial execution point, silently initiating the multi-stage infection chain. When analyzing suspicious submissions in their interactive sandbox, ANY.RUN analysts discovered Caminho Loader. They saw a flexible delivery model, consistent use of steganography, and in-memory execution.

The Brazilian connection is further supported by their research, which reveals that all examined samples share Portuguese strings and the unique "HackForums.gigajew" namespace. Because it is not dependent on a single malware family, this loader has a substantial impact. Rather, illicit clients rent the delivery infrastructure and use standardized parameters to plug in their own.NET payloads.

Multiple campaigns can deliver entirely different trojans to end targets while sharing the same steganographic images and scripts thanks to this modular approach. For defenders, this means that depending on who is behind a particular campaign, a single loader infrastructure can facilitate remote access, espionage, or credential theft. How the Steganographic Infection Chain of Caminho Loader Operates Caminho Loader's infection chain uses legitimate services at nearly every stage, making it challenging to filter without interfering with regular business traffic.

Malware analysis of Caminho Loader (Source: Any.Run) Once the malicious JavaScript or VBScript from a phishing archive is executed by the victim, the script contacts Pastebin-like services for downloading highly obfuscated PowerShell code include paste.ee and pastefy.app.

Then, in order to obtain image files that seem harmless to both users and security tools, this PowerShell stage contacts reputable websites like archive.org. Learn more about remote access and VPNs. Computer Security Hacking and Cracking Malware and Antivirus Operating Systems, Web Browsers, and Computer Hardware Mathematics Caminho uses Least Significant Bit (LSB) steganography, which embeds data into the least visible portions of pixel values without altering the appearance of the image, to conceal Base64-encoded.NET loader code inside these images.

The downloaded image is scanned by the PowerShell script, which then extracts the hidden data, reconstructs the.NET assembly directly in memory, and invokes it with the final payload URL as an argument.

Traditional file-based antivirus programs frequently fail to detect the malicious component at all because the loader never writes the executable to disk. After operating in memory, the Caminho Loader establishes a connection with attacker-controlled infrastructure to download and run the selected payload, such as REMCOS or AsyncRAT, which subsequently manages long-term access, lateral movement, and credential theft. One instance of the loader injecting AsyncRAT into the AddInProcess32 process and integrating it with regular system operations is tracked by AsyncRAT Injection.

Set CSN as a Preferred Source in Google, LinkedIn, and X to Get More Instant Updates, and ANY.RUN's sandbox views of these stages provide defenders with a unique, end-to-end window into a threat that would otherwise try to leave minimal forensic traces.