Threat hunters have revealed details of a sophisticated malware operation named DEAD#VAX, a stealth focused campaign that combines disciplined operational techniques with the abuse of legitimate Windows features to evade detection and deploy the AsyncRAT remote access trojan.
According to researchers from Securonix, the campaign relies on IPFS hosted virtual hard disk files, advanced script obfuscation, runtime decryption, and in memory shellcode injection. The approach allows attackers to compromise systems without ever writing a decrypted malware binary to disk, significantly reducing forensic visibility.
AsyncRAT is an open source remote access trojan that gives attackers deep control over infected systems. Once deployed, it enables activities such as keystroke logging, screen and webcam capture, clipboard monitoring, file system access, remote command execution, and persistence across system restarts.
The infection chain begins with a phishing email that delivers a malicious Virtual Hard Disk file hosted on the decentralized InterPlanetary Filesystem network. These VHD files are disguised as PDF purchase orders, increasing the likelihood that victims will open them.
The campaign follows a multi stage execution model that abuses Windows Script Files, heavily obfuscated batch scripts, and self parsing PowerShell loaders. These components work together to deliver an encrypted 64 bit shellcode payload. The shellcode contains AsyncRAT and is injected directly into trusted Windows processes, where it executes entirely in memory.
Researchers explained that when a victim double clicks the file believing it to be a PDF document, the operating system mounts it as a virtual drive. The use of VHD files serves as an effective evasion technique, allowing the malware to bypass certain security controls that typically focus on traditional executable formats.
Inside the mounted drive, typically assigned the letter E, is a Windows Script File that masquerades as a document. When executed, it drops and launches an obscured batch script. This script performs multiple environment checks to confirm that it is not running inside a sandbox or virtual machine and that sufficient privileges are available to continue execution.
Once these checks are completed, the script launches a PowerShell based injector and persistence module. This component validates the execution environment, decrypts embedded payloads, establishes persistence through scheduled tasks, and injects the final malware into Microsoft signed processes such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, and sihost.exe. This strategy allows the malware to avoid leaving artifacts on disk.
The PowerShell loader acts as a stealth execution engine that enables AsyncRAT to operate fully in memory while blending into normal system behavior. This design supports long term access to compromised systems without raising immediate suspicion.
To further reduce detection, the malware carefully controls execution timing and introduces sleep intervals. These delays lower CPU usage, limit rapid Win32 API calls, and make runtime behavior appear less abnormal to monitoring tools.
Securonix researchers noted that modern malware campaigns increasingly depend on trusted file formats, script abuse, and memory resident execution techniques to bypass traditional endpoint defenses. Rather than deploying a single malicious file, attackers now rely on complex multi stage chains in which each component appears harmless when examined independently.
In the case of DEAD#VAX, delivering AsyncRAT as encrypted shellcode that runs only in memory significantly enhances stealth. The payload never exists on disk in a recognizable executable form and runs inside trusted Windows processes, making detection, analysis, and forensic reconstruction far more challenging for defenders.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
