Threat hunters at Securonix have disclosed details of a new malware campaign dubbed DEAD#VAX that employs “disciplined tradecraft and clever abuse of legitimate system features” to deploy the AsyncRAT remote access trojan. The campaign chains together multiple evasion techniques, delivering malware entirely in memory to minimize forensic artifacts.
Campaign overview
| Attribute | Details |
|---|
| Campaign name | DEAD#VAX |
| Discovery | Securonix Threat Research Team |
| Disclosure date | February 4, 2026 |
| Primary payload | AsyncRAT |
| Hosting | IPFS (InterPlanetary File System) |
| Delivery | VHD (Virtual Hard Disk) files |
| Execution | Fileless, in-memory shellcode injection |
Attack chain
The DEAD#VAX campaign employs a multi-stage attack chain designed to evade detection at each step:
Stage 1: Initial delivery
| Step | Technique |
|---|
| Delivery method | Phishing email |
| Attachment | Link to IPFS-hosted VHD file |
| Social engineering | VHD disguised as PDF purchase order |
The attackers host malicious VHD files on the InterPlanetary File System (IPFS), a decentralized storage network. IPFS hosting provides:
| Benefit | Description |
|---|
| Censorship resistance | No single point to take down |
| Legitimate appearance | IPFS gateways are widely used |
| Persistence | Content remains accessible across nodes |
| Detection evasion | Not traditionally flagged by security tools |
Stage 2: Mark-of-the-Web bypass
When a user mounts the VHD file, Windows presents it as a local drive:
| Behavior | Security implication |
|---|
| VHD mounts as drive | Files appear local, not downloaded |
| Mark-of-the-Web stripped | Security warnings bypassed |
| Files execute freely | No SmartScreen or Protected View prompts |
This technique has been increasingly adopted by threat actors because it circumvents one of Windows’ primary defenses against downloaded malware.
Stage 3: Obfuscated script execution
Inside the VHD, the attack chain proceeds through multiple script stages:
| Component | Purpose |
|---|
| Windows Script Files (WSF) | Initial execution trigger |
| Batch scripts | Heavily obfuscated intermediate layer |
| PowerShell loaders | Self-parsing, runtime decryption |
The scripts use extreme obfuscation:
| Technique | Effect |
|---|
| Variable name randomization | Defeats pattern matching |
| String concatenation | Hides command reconstruction |
| Encoding layers | Multiple decryption stages |
| Runtime assembly | Commands built at execution time |
Stage 4: Shellcode injection
The final stage injects AsyncRAT shellcode directly into trusted Windows processes:
| Step | Action |
|---|
| 1 | PowerShell decrypts x64 shellcode |
| 2 | Target process identified (trusted Windows binary) |
| 3 | Shellcode injected into process memory |
| 4 | AsyncRAT executes within trusted process context |
No decrypted binary is ever written to disk, making traditional file-based detection ineffective.
Evasion techniques
DEAD#VAX demonstrates sophisticated anti-analysis capabilities:
Sandbox detection
| Check | Purpose |
|---|
| Virtualization detection | Identifies VM environments |
| Memory threshold checks | Detects low-resource analysis systems |
| Execution timing | Identifies automated analysis |
Anti-forensics
| Technique | Effect |
|---|
| In-memory execution | No malware files on disk |
| Process injection | Runs within legitimate processes |
| Reinfection markers | Prevents multiple injections that could destabilize system |
Persistence mechanisms
| Method | Implementation |
|---|
| Scheduled tasks | Stealthy task creation |
| Script-based launchers | Avoid obvious PowerShell indicators |
| Auto-rotation | Automatically recreates if removed |
Securonix noted that persistence is “maintained through stealthy scheduled tasks and script-based launchers that avoid obvious PowerShell indicators and can rotate automatically if removed.”
AsyncRAT capabilities
AsyncRAT is an open-source remote access trojan providing extensive control over compromised systems:
Surveillance capabilities
| Capability | Description |
|---|
| Keylogging | Captures all keystrokes |
| Screen capture | Screenshots of victim display |
| Webcam access | Remote camera activation |
| Clipboard monitoring | Captures copied content |
| File system access | Browse, read, modify files |
Command and control
| Feature | Description |
|---|
| Remote command execution | Run arbitrary commands |
| File transfer | Upload/download files |
| Process management | Start, stop, enumerate processes |
| Persistence management | Maintain access across reboots |
Data exfiltration
| Target | Data type |
|---|
| Browsers | Credentials, cookies, history |
| Cryptocurrency wallets | Wallet files, keys |
| Documents | Sensitive files |
| Credentials | Stored passwords |
Why DEAD#VAX is significant
Securonix researchers emphasized that while AsyncRAT attacks are common, the delivery framework represents the real innovation:
| Traditional approach | DEAD#VAX approach |
|---|
| Email attachment | IPFS-hosted VHD |
| Direct download | Decentralized hosting |
| Disk-based execution | In-memory only |
| Single obfuscation layer | Multi-layer obfuscation |
| Static persistence | Auto-rotating persistence |
The campaign “effectively defeats single-layer detection approaches as it chains together social engineering, disk image abuse, and script-based loaders.”
Detection challenges
| Challenge | Impact |
|---|
| IPFS hosting | Legitimate infrastructure abuse |
| VHD mounting | Bypasses MotW protections |
| Fileless execution | No malware files to scan |
| Process injection | Hides within trusted processes |
| Script obfuscation | Evades signature detection |
Traditional antivirus focused on file scanning will miss this attack because the malicious payload never exists as a file on disk.
Detection opportunities
Network indicators
| Indicator | Detection method |
|---|
| IPFS gateway connections | Monitor for unusual IPFS traffic |
| VHD downloads | Flag VHD files from external sources |
| C2 communication | AsyncRAT network patterns |
Endpoint indicators
| Indicator | Detection method |
|---|
| VHD mounting | Windows event logs |
| Script execution | PowerShell logging |
| Process injection | EDR behavioral detection |
| Scheduled task creation | Task scheduler monitoring |
Recommended detection rules
| Rule type | Focus |
|---|
| PowerShell logging | ScriptBlock logging for obfuscated commands |
| Process creation | Unusual parent-child relationships |
| Network monitoring | Connections following VHD mount |
| Behavioral analysis | Memory injection patterns |
Recommendations
For security teams
| Priority | Action |
|---|
| High | Enable PowerShell ScriptBlock logging |
| High | Deploy EDR with behavioral analysis |
| High | Monitor for VHD file downloads |
| High | Block or alert on IPFS gateway connections |
| Medium | Implement memory scanning capabilities |
| Ongoing | Update detection rules for MotW bypass techniques |
For email security
| Control | Purpose |
|---|
| Block VHD attachments | Prevent direct delivery |
| Scan links for VHD endpoints | Detect hosted payloads |
| User awareness training | Recognize purchase order lures |
| Sandbox analysis | Detonate suspicious links |
For endpoint protection
| Control | Purpose |
|---|
| Application control | Restrict VHD mounting |
| Memory protection | Detect shellcode injection |
| Behavioral monitoring | Identify process injection |
| Script controls | Constrained Language Mode |
Indicators of compromise
Behavioral indicators
- VHD files downloaded from IPFS gateways
- VHD mounting followed by script execution
- Heavily obfuscated batch or PowerShell scripts
- Process injection into trusted Windows binaries
- Scheduled tasks created with unusual names
- AsyncRAT C2 communication patterns
Network patterns
- Connections to IPFS gateways (various domains)
- AsyncRAT C2 traffic patterns
- Data exfiltration to external servers
Context
DEAD#VAX represents the continued evolution of malware delivery techniques. As defenders improve detection of traditional attack vectors, threat actors develop increasingly sophisticated evasion chains.
| Evolution | DEAD#VAX implementation |
|---|
| Hosting | Decentralized IPFS instead of traditional servers |
| Delivery | VHD files bypass web download protections |
| Execution | Fileless, memory-only payload |
| Persistence | Auto-rotating scheduled tasks |
| Detection evasion | Multi-layer obfuscation |
The campaign demonstrates that effective malware delivery now requires:
- Abuse of legitimate infrastructure (IPFS)
- Exploitation of trust mechanisms (VHD/MotW)
- Advanced obfuscation (multi-layer script encoding)
- Memory-only execution (no disk artifacts)
- Resilient persistence (auto-rotation)
Organizations should assume that traditional file-based detection is insufficient and invest in behavioral analysis, memory scanning, and comprehensive logging to detect attacks like DEAD#VAX.
