Ethical Hacking News
A new malware campaign known as DEAD#VAX has been discovered, employing a mix of sophisticated tactics to deploy AsyncRAT via IPFS-hosted VHD phishing files. This stealthy approach makes detection and analysis significantly more challenging for defenders, emphasizing the need for continuous updates in threat intelligence and incident response capabilities.
The DEAD#VAX malware campaign employs sophisticated tactics to evade traditional detection mechanisms. The use of IPFS-hosted Virtual Hard Disk (VHD) files bypasses traditional security controls and delivers a payload that appears benign in its initial stages. The infection sequence begins with a phishing email that delivers the VHD file, which presents itself as a new physical device once opened. The malicious payload executes a series of checks to ensure it is not running within a virtualized or sandboxed environment, or lacks sufficient privileges. The script unleashes a PowerShell-based process injector and persistence module designed to validate execution environments and decrypt embedded payloads. The use of encrypted x64 shellcode delivered via self-parsing PowerShell loaders further increases the payload's stealth. The implications are that modern malware campaigns increasingly rely on trusted file formats, script abuse, and memory-resident execution to bypass traditional security controls. The deployment of AsyncRAT as an encrypted, memory-resident shellcode increases its stealth and makes detection more difficult.
The threat landscape has witnessed a significant evolution in recent times, with malware campaigns increasingly relying on sophisticated tactics and techniques to evade traditional detection mechanisms. A prime example of this trend is the DEAD#VAX malware campaign, which has been identified by threat hunters as employing a mix of "disciplined tradecraft" and "clever abuse of legitimate system features" to deploy a remote access trojan (RAT) known as AsyncRAT.
At the heart of this malicious operation lies the use of IPFS-hosted Virtual Hard Disk (VHD) files, which are disguised as PDF files for purchase orders. This approach leverages the decentralized nature of InterPlanetary Filesystem (IPFS) to bypass traditional security controls and deliver a payload that appears benign in its initial stages.
According to researchers from Securonix, Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee, the infection sequence begins with a phishing email that delivers the VHD file. Upon opening this seemingly innocuous file, the user's system mounts the virtual hard drive, which presents itself as a new physical device. This behavior is indicative of a highly specific and effective evasion technique employed in modern malware campaigns.
Once inside, the malicious payload executes a series of checks to ensure it is not running within a virtualized or sandboxed environment, or lacks sufficient privileges to proceed further. Upon successful validation, the script unleashes a PowerShell-based process injector and persistence module designed to validate execution environments, decrypt embedded payloads, set up persistence using scheduled tasks, and inject the final malware into Microsoft-signed Windows processes.
This approach not only enhances the degree of stealth but also makes detection and forensic reconstruction substantially more difficult due to the absence of a decrypted binary on disk. The use of encrypted x64 shellcode delivered via self-parsing PowerShell loaders further increases the payload's stealth, making it appear as if it is simply running within the context of trusted Windows processes.
The implications of this new threat landscape cannot be overstated. Modern malware campaigns increasingly rely on trusted file formats, script abuse, and memory-resident execution to bypass traditional security controls. Rather than delivering a single malicious binary, attackers now construct multi-stage execution pipelines in which each individual component appears benign when analyzed in isolation. This shift has made detection, analysis, and incident response significantly more challenging for defenders.
Moreover, the deployment of AsyncRAT as an encrypted, memory-resident shellcode increases its stealth, allowing it to operate with a reduced risk of discovery by traditional endpoint security controls. The fileless execution model used here minimizes forensic artifacts on disk, making detection and analysis substantially more difficult.
The rise of threats like DEAD#VAX underscores the need for continuous updates and improvements in threat intelligence and incident response capabilities. As attackers evolve their tactics to exploit emerging vulnerabilities, it is essential that defenders remain vigilant and proactive in their efforts to stay ahead of these evolving threats.
Furthermore, researchers warn that this shift towards more sophisticated malware campaigns highlights the importance of awareness and education among users regarding cybersecurity best practices. With ever-evolving threats like DEAD#VAX at play, users must remain cautious when interacting with emails, attachments, or links from unknown sources, as these can often serve as vectors for entry into malicious systems.
In conclusion, the rise of stealthy malware campaigns such as DEAD#VAX emphasizes the need for robust cybersecurity measures to protect users against evolving threats. As attackers continue to exploit vulnerabilities and push the boundaries of what is considered acceptable, it will be crucial to stay informed about emerging trends in threat intelligence and to adapt our strategies accordingly.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Stealthy-Malware-How-DEADVAX-Exploits-IPFS-Hosted-VHD-Phishing-Files-to-Deploy-AsyncRAT-ehn.shtml
https://thehackernews.com/2026/02/deadvax-malware-campaign-deploys.html
https://www.securonix.com/blog/deadvax-threat-research-security-advisory/
Published: Wed Feb 4 13:02:27 2026 by llama3.2 3B Q4_K_M
