SECURITY researchers have disclosed a stealthy malware campaign dubbed DEAD#VAX that uses a mix of disciplined tradecraft and legitimate system features to deploy AsyncRAT. The infection begins with a phishing email delivering a Virtual Hard Disk (VHD) hosted on the InterPlanetary File System (IPFS), with the VHD disguised as a PDF file for purchase orders.
The campaign employs Windows Script Files, heavily obfuscated batch scripts, and self-parsing PowerShell loaders to deliver encrypted x64 shellcode that is injected directly into trusted Windows processes and executed in memory.
According to Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee in a report shared with The Hacker News, AsyncRAT provides extensive control, including keylogging, screen and webcam capture, clipboard monitoring, file system access, remote command execution, and persistence across reboots, while never dropping a decrypted binary to disk. The final payload targets Microsoft-signed processes such as RuntimeBroker[.]exe, OneDrive[.]exe, taskhostw[.]exe and sihost[.]exe to avoid forensic traces.