AsyncRAT is at the centre of a newly uncovered malware operation called DEAD#VAX that quietly infects Windows systems and enables long term unauthorized access. Security researchers say the campaign uses advanced techniques and abuses legitimate Windows features and trusted file formats to evade traditional security tools, making detection, analysis, and investigation significantly more challenging.
According to researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee, “The attack leverages IPFS hosted VHD files, extreme script obfuscation, runtime decryption, and in memory shellcode injection into trusted Windows processes, never dropping a decrypted binary to disk.” Their findings were shared with a publication. The ultimate payload is AsyncRAT, an open source remote access trojan that allows attackers to monitor keystrokes, capture screens and webcam feeds, access files, execute remote commands, monitor clipboards, and maintain persistence even after system reboots.
The infection chain begins with a phishing email that delivers a Virtual Hard Disk file hosted on the decentralized InterPlanetary Filesystem network. These VHD files are disguised as PDF purchase orders to trick users. “After downloading, when a user simply tries to open this PDF looking file and double clicks it, it mounts as a virtual hard drive,” the researchers explained. Once mounted, the drive displays a Windows Script File that appears harmless but triggers the next stages of the attack. Using VHD files helps the malware bypass certain security controls and reduces suspicion.
Inside the mounted drive, the script launches heavily obfuscated batch scripts and PowerShell loaders. These components first check whether they are running in a sandbox or virtual environment and whether sufficient privileges are available. Once validated, an encrypted x64 shellcode version of AsyncRAT is decrypted at runtime and injected directly into trusted Microsoft signed processes such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, and sihost.exe. The malware runs entirely in memory, sets up persistence through scheduled tasks, controls execution timing, and limits CPU usage to avoid unusual behavior. As the researchers noted, “Modern malware campaigns increasingly rely on trusted file formats, script abuse, and memory resident execution to bypass traditional security controls.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
