top of page
Buscar

DEAD#VAX: When Legitimate Windows Features Become the Perfect Disguise

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 5 feb
  • 3 Min. de lectura

The DEAD#VAX campaign marks a clear evolution in modern malware tradecraft. Rather than relying on noisy exploits or obvious malicious binaries, the operators behind this activity assemble a disciplined, multi-stage execution chain that blends seamlessly into legitimate Windows behavior. By abusing trusted file formats, decentralized infrastructure, and memory-resident execution, DEAD#VAX delivers AsyncRAT while leaving almost no forensic footprint on disk. The result is a stealthy intrusion model designed not just to compromise systems, but to remain invisible for as long as possible.


Phase 1: Deception & Delivery – IPFS and the Weaponized VHD


The infection chain begins with a carefully crafted phishing email, typically posing as a routine purchase order. Attached to the message is what appears to be a harmless PDF file. In reality, the attachment is a Virtual Hard Disk (VHD) hosted on the InterPlanetary Filesystem (IPFS), a decentralized storage network that complicates takedown efforts and reputation-based blocking.

When the victim double-clicks the file, Windows automatically mounts it as a virtual drive rather than opening it as a document. This behavior, while legitimate, allows the attackers to bypass certain security controls that focus on traditional executable delivery. Inside the mounted drive lies the true entry point of the attack.


Phase 2: Script Abuse & Environment Validation


Within the VHD, the victim is presented with a Windows Script File (WSF), assumed to be part of the supposed document. Once executed, this script launches a heavily obfuscated batch file, followed by self-parsing PowerShell loaders.

Before advancing further, the malware performs a series of checks to ensure it is running on a real user system. These checks validate privileges and attempt to detect virtualized or sandboxed environments. If analysis artifacts are detected, execution halts. This conditional logic ensures the payload only activates in environments that are valuable to the attacker.


Phase 3: Runtime Decryption & In-Memory Injection


After passing the validation stage, the PowerShell component decrypts an embedded x64 shellcode payload entirely at runtime. This payload is AsyncRAT, delivered in encrypted form and never written to disk as a recognizable executable.

The decrypted shellcode is injected directly into trusted, Microsoft-signed Windows processes such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, and sihost.exe. By running inside legitimate processes, the malware blends into normal system activity and significantly reduces the likelihood of detection by traditional endpoint security tools.


Phase 4: Persistence Without Artifacts


To maintain long-term access, DEAD#VAX establishes persistence using scheduled tasks, again leveraging native Windows functionality rather than introducing suspicious binaries. The entire execution engine operates in memory, avoiding file creation and minimizing forensic evidence.

The malware further refines its stealth by carefully controlling execution timing. Sleep intervals and throttling reduce CPU usage, limit suspicious Win32 API call bursts, and make runtime behavior appear less anomalous during monitoring.


Phase 5: AsyncRAT in Action


Once fully deployed, AsyncRAT provides attackers with broad control over the compromised endpoint. Capabilities include keylogging, screen and webcam capture, clipboard monitoring, file system access, remote command execution, and data exfiltration. Because the trojan runs filelessly within trusted processes, defenders face significant challenges in both detection and post-incident reconstruction.


Measures to Fend Off DEAD#VAX


To counter campaigns like DEAD#VAX, organizations should focus on layered defensive controls that go beyond traditional malware signatures:

  • Monitor and restrict the use of VHD files delivered via email, especially those masquerading as documents

  • Inspect and alert on anomalous Windows Script File (WSF), batch, and PowerShell execution chains

  • Detect memory injection into trusted Microsoft-signed processes

  • Apply behavioral analysis to identify fileless malware and in-memory execution patterns

  • Monitor for IPFS-based content delivery and other decentralized hosting abuse

  • Strengthen phishing awareness training around non-traditional file formats

  • Implement endpoint visibility capable of correlating script behavior, persistence mechanisms, and runtime anomalies


DEAD#VAX illustrates how modern malware campaigns no longer rely on a single malicious file, but on carefully orchestrated execution pipelines where each component appears benign in isolation. By abusing trusted Windows features, decentralized infrastructure, and memory-resident execution, attackers dramatically raise the bar for detection and response.

For defenders, this campaign reinforces a critical lesson: visibility into behavior, context, and execution flow is now more important than ever. As malware continues to evolve toward fileless, stealth-first models, security strategies must evolve accordingly, focusing not just on what runs, but how and where it runs.



The Hacker News


 
 
 

Comentarios

bottom of page