Full Report
Threat hunters have disclosed details of a new, stealthy malware campaign dubbed DEAD#VAX that employs a mix of "disciplined tradecraft and clever abuse of legitimate system features" to bypass traditional detection mechanisms and deploy a remote access trojan (RAT) known as AsyncRAT. "The attack leverages IPFS-hosted VHD files, extreme script obfuscation, runtime decryption, and in-memory
Analysis Summary
# Tool/Technique: DEAD#VAX Campaign leveraging AsyncRAT
## Overview
The DEAD#VAX campaign is a stealthy malware operation utilizing disciplined tradecraft, including abuse of legitimate system features like VHD mounting and fileless execution, to deploy the AsyncRAT remote access trojan. The campaign relies on a multi-stage delivery mechanism starting from phishing emails containing IPFS-hosted Virtual Hard Disk (VHD) files disguised as purchase orders.
## Technical Details
- Type: Malware Campaign / Technique (Multi-stage execution pipeline)
- Platform: Windows
- Capabilities: Fileless execution, runtime decryption, persistence via scheduled tasks, process injection into trusted Windows binaries.
- First Seen: Information not explicitly provided in the text, but the article is dated February 04, 2026.
## MITRE ATT&CK Mapping
*Note: Mappings are based on the described actions.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied by VHD delivery)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell (Batch scripts)
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0004 - Privilege Escalation**
- T1548.002 - Bypass User Account Control (Implied by privilege checks)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1055 - Process Injection
- T1070.004 - Indicator Removal: File Deletion (By avoiding dropping file artifacts)
- **TA0003 - Persistence**
- T1053.005 - Scheduled Task/Job
## Functionality
### Core Capabilities
- **Initial Delivery**: Uses IPFS-hosted VHD files disguised as PDF purchase orders delivered via phishing emails.
- **Mounting Abuse**: Exploits the VHD feature to mount the file as a virtual drive (E:), bypassing standard file validation controls.
- **Staging/Script Execution**: Executes a staged pipeline involving:
1. WSF script execution.
2. Obscured batch script execution for environment checks (sandbox/VM evasion).
3. PowerShell loader execution.
- **Sandbox Evasion**: Performs checks to ensure the environment is not virtualized or sandboxed before proceeding.
- **Payload Delivery**: Delivers encrypted x64 shellcode (AsyncRAT) intended for in-memory execution.
- **Persistence**: Establishes persistence using scheduled tasks.
### Advanced Features
- **Fileless Execution**: The final payload (AsyncRAT) is decrypted at runtime and injected directly into trusted Windows processes, ensuring the decrypted binary never reaches the disk.
- **Process Injection**: Injects shellcode into Microsoft-signed Windows processes such as `RuntimeBroker.exe`, `OneDrive.exe`, `taskhostw.exe`, and `sihost.exe`.
- **Stealth Optimization**: Throttles execution using sleep intervals to reduce CPU usage and minimize anomalous rapid Win32 API activity, blending execution behavior with legitimate system activity.
- **Extreme Obfuscation**: Employs heavy script obfuscation across the initial stages (WSF, Batch).
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: Virtual Hard Disk (VHD) files disguised as PDF purchase orders.
- Registry Keys: [Not provided in the text]
- Network Indicators: IPFS addresses hosting the initial VHD file. (No public C2 domain/IP provided).
- Behavioral Indicators:
- Mounting of VHD files upon user interaction.
- Execution of WSF/Batch scripts leading to PowerShell execution.
- Injection of shellcode into living processes like `RuntimeBroker.exe` or `OneDrive.exe`.
- Creation of Scheduled Tasks for persistence.
## Associated Threat Actors
- [Not explicitly named in the provided text, described as a "new, stealthy malware campaign".]
## Detection Methods
- **Signature-based detection**: Likely to be ineffective against the heavily obfuscated, multi-stage, and fileless nature of the payload delivery.
- **Behavioral detection**: Effective detection relies on monitoring chain of execution: VHD mounting followed by script execution, environment checks, and memory injection into whitelisted processes. Monitoring for unusual API calls or memory allocation patterns within trusted processes is key.
- **YARA rules**: [Not provided in the text]
## Mitigation Strategies
- **Prevention**: Implementing controls to restrict the execution of scripts like WSF/Batch or PowerShell without justification. Blocking access to network resources hosting potentially malicious VHD files (if IPFS gateway usage can be identified).
- **Hardening recommendations**: Implementing strong endpoint detection capability focused on memory and process behavior rather than just file scanning. Utilizing application control to restrict which processes can inject code into others.
## Related Tools/Techniques
- **Payload**: AsyncRAT (Remote Access Trojan)
- **Delivery Mechanism**: Abuse of Virtual Hard Disk (VHD) files for evasion.
- **Infrastructure**: Use of InterPlanetary File System (IPFS) for hosting payloads.
- **Execution Model**: Fileless, in-memory shellcode injection technique.