A new report out today from cybersecurity company Securonix Inc. is warning of a highly sophisticated, multistage malware campaign where attackers are abusing trusted Windows features and fileless execution techniques to bypass traditional security controls.
The campaign, dubbed “Dead#Vax,” combines social engineering, disk image abuse and in-memory payload delivery to deploy a full-featured remote access trojan virus while leaving minimal forensic artifacts behind.
Dead#Vax campaigns begin with targeted phishing emails impersonating legitimate businesses and delivering links to virtual hard disk files hosted on the InterPlanetary File System. The emails are designed to appear routine and business-related, often posing as purchase orders or invoices, while the use of IPFS infrastructure and disk image formats allows the attackers to bypass many email gateway defenses.
When mounted by a user, the virtual hard disk presents itself as a local drive and strips away Windows’ Mark-of-the-Web protections, allowing malicious files inside to execute with minimal warnings.
Once the VHD is opened, the infection chain unfolds through a carefully engineered sequence of Windows Script Files, heavily obfuscated batch scripts and PowerShell loaders. Each stage is designed to look relatively harmless in isolation while reconstructing and decrypting the next payload at runtime.
Securonix’s researchers found that the batch stage employs self-parsing logic and reads its own contents to extract encrypted data, while the PowerShell stage uses multiple layers of obfuscation, including Unicode pollution, Base64 encoding, rolling exclusive OR decryption and character shifting to hide critical strings and execution logic.
The final Dead#Vax stage sees the delivery of an encrypted x64 shellcode directly into memory while never writing a decrypted executable to disk. The loader uses native Windows application programming interfaces such as OpenProcess, VirtualAllocEx and CreateRemoteThread to inject the shellcode into trusted, Microsoft-signed processes like OneDrive.exe or RuntimeBroker.exe.
The researchers confirmed through dynamic analysis that the injected payload is AsyncRAT, a widely abused remote access trojan capable of long-term surveillance, credential theft, data exfiltration and follow-on attacks.
Securonix noted that the campaign demonstrates a high level of operational maturity, as the malware includes multiple anti-analysis and sandbox-evasion checks, such as virtualization detection and minimum memory thresholds, which it uses as a reinfection marker in process memory to prevent multiple injections that could destabilize the system.
Persistence is maintained through stealthy scheduled tasks and script-based launchers that avoid obvious PowerShell indicators and can rotate automatically if removed.
While attacks using AsyncRAT are not new, the report emphasizes that the delivery framework is the real concern here. The attackers effectively defeat single-layer detection approaches as it chains together social engineering, disk image abuse, script-based loaders and in-memory execution.
“This intrusion highlights how modern adversaries can weaponize legitimate system functionality to construct stealthy, resilient and highly evasive malware delivery pipelines,” the report concludes. “Understanding and documenting these techniques is critical for improving detection engineering, strengthening incident response capabilities and adapting defensive strategies to the realities of fileless, multistage attacks.”
Image: SiliconANGLE/Ideogram
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
