In a technical analysis, Securonix detailed a new stealthy malware campaign called DEAD#VAX that uses IPFS-hosted VHD files disguised as PDF purchase orders to mount virtual drives and deliver AsyncRAT as encrypted shellcode that runs in memory.
KEY FACTS
- Incident DEAD#VAX delivers an in-memory AsyncRAT remote access trojan
- Delivery IPFS-hosted VHD files disguised as PDF purchase orders
- Technique Encrypted x64 shellcode is injected into trusted Windows processes without a decrypted file on disk
- Persistence Uses scheduled tasks and in-memory process injection into Microsoft-signed processes
Technical details from the report show the chain begins with a phishing email that delivers a VHD file hosted on the InterPlanetary Filesystem. When a user opens the file it mounts as a virtual drive and exposes a Windows Script File that is presented as a PDF document.
The mounted drive contains a WSF script that drops an obscured batch script and a self-parsing PowerShell loader. The batch component performs environment checks to detect sandboxes and virtual machines before allowing execution to proceed.
The PowerShell loader decrypts an embedded x64 shellcode payload and injects it into trusted Microsoft-signed processes such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, and sihost.exe. The payload is AsyncRAT running entirely in memory and the campaign avoids writing a decrypted executable to disk.
Additional evasions include heavy script obfuscation, runtime decryption, controlled sleep intervals to reduce CPU and API activity, and scheduled tasks for persistence. The report lists AsyncRAT capabilities as keylogging, screen and webcam capture, clipboard monitoring, file system access, remote command execution, and persistence across reboots.
WHY IT MATTERS
Fileless, in-memory delivery through mounted VHDs and trusted process injection reduces forensic artifacts and can evade traditional endpoint controls. That combination makes detection and incident response more difficult for defenders.