top of page
perceptive_background_267k.jpg

DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files

Published:

4 februari 2026 om 17:24:00

Alert date:

4 februari 2026 om 19:01:15

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Email & Messaging, Operating Systems

A sophisticated malware campaign called DEAD#VAX has been discovered that uses advanced evasion techniques to deploy AsyncRAT remote access trojan. The campaign leverages IPFS-hosted VHD files, extreme script obfuscation, runtime decryption, and in-memory execution to bypass traditional detection mechanisms. The attack demonstrates disciplined tradecraft and clever abuse of legitimate system features to maintain stealth. This represents a significant threat due to its ability to evade security controls through innovative delivery methods and obfuscation techniques.

Technical details

The DEAD#VAX malware campaign uses phishing emails to deliver Virtual Hard Disk (VHD) files hosted on IPFS, disguised as PDF purchase orders. The attack chain involves Windows Script Files (WSF), heavily obfuscated batch scripts, and PowerShell loaders to deploy encrypted x64 shellcode containing AsyncRAT. The malware performs environment checks to avoid sandboxes, establishes persistence via scheduled tasks, and injects AsyncRAT into trusted Windows processes (RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, sihost.exe) for fileless, memory-only execution. The campaign uses runtime decryption, extreme script obfuscation, and execution timing controls with sleep intervals to reduce detection.

Mitigation steps:

Organizations should monitor for VHD file attachments in phishing emails, detect unusual WSF and batch script execution, implement behavioral analysis for process injection into trusted Windows processes, monitor scheduled task creation for persistence mechanisms, and deploy memory-based detection capabilities to identify fileless malware execution patterns.

Affected products:

Windows operating systems
RuntimeBroker.exe
OneDrive.exe
taskhostw.exe
sihost.exe

Related links:

https://thehackernews.com/2025/07/asyncrats-open-source-code-sparks-surge.html
https://www.securonix.com/blog/deadvax-threat-research-security-advisory/
https://thehackernews.com/2022/11/several-cyber-attacks-observed.html

Related CVE's:

Related threat actors:

IOC's:

VHD files disguised as PDF documents, IPFS-hosted malicious files, Windows Script Files (WSF) execution, Heavily obfuscated batch scripts, PowerShell process injection into Microsoft-signed processes, AsyncRAT remote access trojan, Scheduled tasks for persistence, Memory-resident shellcode execution

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page