DEAD#VAX Campaign Hides AsyncRAT in Memory-Only Attack

A multi-stage malware campaign tracked as DEAD#VAX is using an unusually disciplined attack chain to drop AsyncRAT into memory without ever writing a decrypted payload to disk. The campaign chains IPFS-hosted virtual hard disk files, extreme script obfuscation, and process injection into Microsoft-signed binaries—making detection difficult at every stage.

Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee published their analysis on February 4, describing what they called "disciplined tradecraft and clever abuse of legitimate system features."

The Infection Chain

It starts with phishing. Targets receive emails with links pointing to Virtual Hard Disk (VHD) files disguised as PDF documents, hosted on IPFS (InterPlanetary File System). Hosting malware on IPFS is a deliberate choice—the decentralized network makes takedowns nearly impossible since there's no single server to shut down.

When a victim downloads and mounts the VHD file, Windows treats it as a virtual drive. Inside sits a Windows Script File (WSF) that kicks off the real attack. The WSF runs environment checks first: it probes for virtualization artifacts, verifies it's not running in a sandbox, and confirms minimum memory thresholds are met. If anything looks like a researcher's analysis environment, it bails out.

Past those checks, the WSF drops a heavily obfuscated batch script. This is where things get interesting. The batch stage uses self-parsing logic—reading its own file contents to extract encrypted data embedded within itself. That extracted data feeds into a PowerShell stage wrapped in multiple layers of protection: Unicode pollution, Base64 encoding, rolling XOR decryption, and character shifting. Each layer must be peeled back at runtime before the next becomes readable.

The final payload is encrypted x64 shellcode loaded directly into memory. The loader uses native Windows APIs—OpenProcess, VirtualAllocEx, and CreateRemoteThread—to inject the shellcode into trusted, Microsoft-signed processes like OneDrive.exe, RuntimeBroker.exe, taskhostw.exe, or sihost.exe. Because these are legitimate Windows processes with valid Microsoft signatures, security tools are far less likely to flag the activity.

What AsyncRAT Does Once Inside

AsyncRAT gives attackers broad control over compromised machines:

• Keylogging and clipboard monitoring capture credentials and sensitive data as users type
• Screen and webcam capture enable visual surveillance
• File system access for browsing, downloading, and exfiltrating documents
• Remote command execution for arbitrary system operations
• Persistence mechanisms survive reboots through registry modifications and scheduled tasks

The malware also throttles CPU usage via sleep intervals to avoid triggering performance-based detection. A machine running AsyncRAT won't suddenly spike to 100% CPU—the operators are patient enough to keep resource usage inconspicuous.

Why the Fileless Approach Matters

Traditional antivirus relies heavily on scanning files written to disk. DEAD#VAX sidesteps this entirely. The decrypted AsyncRAT payload exists only in memory, inside a trusted Windows process. Endpoint detection and response (EDR) tools that focus on behavioral analysis have a better chance, but the campaign's multi-layered obfuscation and use of legitimate APIs make even behavioral detection harder. The approach mirrors what we saw in the ClickFix fake CAPTCHA campaigns late last month—attackers are investing heavily in evasion layers for commodity malware.

The IPFS hosting layer adds another challenge. Unlike traditional phishing infrastructure that defenders can take down by reporting a malicious domain or IP address, IPFS content is distributed across nodes worldwide. Taking down one node doesn't remove the content—it persists as long as any node pins it.

We've seen similar fileless techniques in recent campaigns like the xWorm RAT steganography attacks and the Remcos RAT multi-stage campaign documented last month. The trend is clear: commodity RATs are shipping with increasingly sophisticated delivery mechanisms that were once reserved for state-sponsored operations.

Detection Guidance

Securonix recommends monitoring for these indicators:

1. VHD file mounting from user downloads — Track vhdmp.sys driver loading events triggered by files in Downloads or Temp directories
2. WSF execution from mounted drives — Windows Script Host processes spawning from non-standard drive letters
3. PowerShell with heavy obfuscation — Look for Base64-encoded commands exceeding typical lengths, especially with nested encoding
4. Process injection into signed binaries — CreateRemoteThread calls targeting OneDrive.exe, RuntimeBroker.exe, or sihost.exe from unsigned parent processes
5. Outbound connections from injected processes — Network traffic from processes that shouldn't normally initiate external connections

Organizations should also consider blocking VHD file downloads at the email gateway and web proxy level. There are legitimate uses for VHD files, but they're rare enough in most environments that a block-and-whitelist approach is reasonable.