A new, covert malware campaign known as DEAD#VAX has been revealed by threat hunters This article explores vhd files disguised. . It uses a combination of "disciplined tradecraft and clever abuse of legitimate system features" to evade conventional detection methods and install a remote access trojan (RAT) called AsyncRAT.

Keylogging, screen and webcam capture, clipboard monitoring, file system access, remote command execution, and persistence across reboots are just a few of the ways that AsyncRAT, an open-source malware, gives attackers complete control over compromised endpoints. A phishing email that delivers a Virtual Hard Disk (VHD) hosted on the decentralized InterPlanetary Filesystem (IPFS) network is the first step in the infection sequence. To trick targets, the VHD files are disguised as PDF files for purchase orders.

In order to deliver an encrypted x64 shellcode, the multi-stage campaign has been funded to use Windows Script Files (WSF), heavily obfuscated batch scripts, and self-parsing PowerShell loaders. The shellcode in question is called AsyncRAT, and it minimizes any forensic artifacts on disk by being injected directly into trusted Windows processes and running completely in memory. The researchers clarified, "After downloading, it mounts as a virtual hard drive when a user simply tries to open this PDF-looking file and double-clicks it."

"In contemporary malware campaigns, using a VHD file is a very specific and efficient evasion technique.

This behavior demonstrates how VHD files get around some security measures.The newly mounted drive "E:\" contains a WSF script that, when the victim executes it, believing it to be a PDF document, drops and launches an obscured batch script that first performs a number of checks to make sure it isn't operating in a virtualized or sandboxed environment and has the required privileges to continue. When all requirements are met, the script releases a PowerShell-based persistence module and process injector that is intended to verify the execution environment, decrypt embedded payloads, configure persistence through scheduled tasks, and inject the finished malware into Microsoft-signed Windows processes (such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, and sihost.exe) in order to prevent writing the artifacts to disk.

Long-term access to compromised environments is made possible by the PowerShell component, which creates the framework for a "stealthy, resilient execution engine" that enables the trojan to operate solely in memory and blend in with normal system activity. The malware reduces CPU usage, avoids suspicious rapid Win32 API activity, and lessens anomalous runtime behavior by controlling execution timing and throttling execution using sleep intervals to further increase stealth. According to the researchers, "modern malware campaigns increasingly rely on trusted file formats, script abuse, and memory-resident execution to bypass traditional security controls."

Instead of delivering a single malicious binary, attackers now create multi-stage execution pipelines where, when examined separately, each component seems harmless.

For defenders, this change has greatly increased the difficulty of detection, analysis, and incident response. The choice to deliver AsyncRAT as encrypted, memory-resident shellcode greatly increases its stealth in this particular infection chain. The payload operates inside of trusted Windows processes and never shows up on disk in an identifiable executable form.

AsyncRAT can function with a lower risk of being discovered by conventional endpoint security controls thanks to this fileless execution model, which significantly complicates detection and forensic reconstruction.