Trust in your inbox has never been more valuable.
The "Dead#Vax" malware campaign demonstrates how attackers are increasingly bypassing security not through rare vulnerabilities, but through chains of familiar formats and built-in Windows tools. In a recent analysis, the Securonix team described an attack in which the malicious payload leaves virtually no trace on disk and deploys in memory, disguising itself as a normal process.
According to Securonix, the infection begins with a phishing email disguised as business correspondence from the vendor Progressive Components. The message uses a spoofed display address and a link to a file that appears to be a document, but is actually a VHD virtual disk container hosted through an IPFS gateway. This approach helps bypass email checks and reduces suspicion, and files within the mounted drive are not marked with the "Mark-of-the-Web" label, causing Windows to treat them as local.
After mounting the VHD, the victim is shown a file with a double extension, disguised as a PDF but in WSF format. The script launches the next stage and extracts the batch file, the contents of which are assembled from fragments and decrypted only during execution. Next, a highly obfuscated batch code is launched, which substitutes thousands of variables, checks the environment for signs of analysis and virtualization, and then reads its own file to extract the encrypted block hidden at the end.
A key feature of the chain is that subsequent actions are performed via PowerShell without saving the decrypted executable file to disk. The final payload is downloaded as encrypted x64 shellcode, which is injected into trusted, Microsoft-signed processes using standard Win32 calls. The report also notes the "DE AD BE CA FE BA EF" marker, which is used to prevent reinjection into an already infected process and helps the attack remain persistent.
A dynamic analysis cited by Securonix revealed that the final component is "AsyncRAT," a remote control tool suitable for long-term, covert control, surveillance, and subsequent network actions. As a protective measure, the authors recommend paying closer attention to links to disk images such as VHDs and enabling file extension display, as well as strengthening monitoring of code injection scripts and events at the logging and telemetry levels.
The "Dead#Vax" malware campaign demonstrates how attackers are increasingly bypassing security not through rare vulnerabilities, but through chains of familiar formats and built-in Windows tools. In a recent analysis, the Securonix team described an attack in which the malicious payload leaves virtually no trace on disk and deploys in memory, disguising itself as a normal process.
According to Securonix, the infection begins with a phishing email disguised as business correspondence from the vendor Progressive Components. The message uses a spoofed display address and a link to a file that appears to be a document, but is actually a VHD virtual disk container hosted through an IPFS gateway. This approach helps bypass email checks and reduces suspicion, and files within the mounted drive are not marked with the "Mark-of-the-Web" label, causing Windows to treat them as local.
After mounting the VHD, the victim is shown a file with a double extension, disguised as a PDF but in WSF format. The script launches the next stage and extracts the batch file, the contents of which are assembled from fragments and decrypted only during execution. Next, a highly obfuscated batch code is launched, which substitutes thousands of variables, checks the environment for signs of analysis and virtualization, and then reads its own file to extract the encrypted block hidden at the end.
A key feature of the chain is that subsequent actions are performed via PowerShell without saving the decrypted executable file to disk. The final payload is downloaded as encrypted x64 shellcode, which is injected into trusted, Microsoft-signed processes using standard Win32 calls. The report also notes the "DE AD BE CA FE BA EF" marker, which is used to prevent reinjection into an already infected process and helps the attack remain persistent.
A dynamic analysis cited by Securonix revealed that the final component is "AsyncRAT," a remote control tool suitable for long-term, covert control, surveillance, and subsequent network actions. As a protective measure, the authors recommend paying closer attention to links to disk images such as VHDs and enabling file extension display, as well as strengthening monitoring of code injection scripts and events at the logging and telemetry levels.
