Search
Breaking
Latest technical intelligence from Northeast India • Infrastructure, AI, Cloud & Security Analysis • Precision Analysis | Raw Intelligence | Your North Star of Tech • Latest technical intelligence from Northeast India • Infrastructure, AI, Cloud & Security Analysis
SECURITY

Analysis: DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files

👤 By Connect Quest Analyst via Connect Quest Artist
📅 05-02-2026 00:47
Analytical - Independent Analysis
⏱️ 3 min read
Analysis: DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files Image: Stock - Security

DEAD#VAX Malware Campaign: A Stealthy Threat Leveraging IPFS and AsyncRAT

Introduction

A sophisticated malware campaign, dubbed DEAD#VAX, has emerged as a significant threat to endpoint security, employing advanced techniques to bypass traditional detection mechanisms. This campaign, detailed by Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardsley, leverages the decentralized InterPlanetary Filesystem (IPFS) and the open-source AsyncRAT to gain extensive control over compromised systems. With its stealthy approach and practical implications for regional cybersecurity, DEAD#VAX underscores the evolving landscape of cyber threats.

Main Analysis

The DEAD#VAX campaign initiates with a phishing email containing a Virtual Hard Disk (VHD) file hosted on IPFS. These VHD files are disguised as legitimate PDF documents, such as purchase orders, to deceive targets. Once opened, the VHD file triggers a multi-stage infection sequence that relies on heavily obfuscated Windows Script Files (WSF), batch scripts, and PowerShell loaders. The ultimate payload is AsyncRAT, an open-source remote access trojan (RAT) that provides attackers with full control over the compromised endpoint.

AsyncRAT s capabilities include keylogging, screen and webcam capture, clipboard monitoring, file system access, remote command execution, and persistence across system reboots. What sets DEAD#VAX apart is its use of in-memory shellcode injection into trusted Windows processes, ensuring that no decrypted binary is ever written to disk. This fileless execution model significantly reduces forensic artifacts, making detection and analysis challenging for traditional endpoint security solutions.

The campaign s reliance on IPFS for hosting malicious VHD files adds another layer of complexity. IPFS, a decentralized file storage system, makes it difficult to takedown malicious content, as files are distributed across multiple nodes. This decentralization, while beneficial for legitimate use cases, is exploited by threat actors to enhance the resilience of their malware infrastructure.

Examples and Regional Impact

One notable example of DEAD#VAX s impact was observed in the financial sector of Southeast Asia, where several mid-sized banks reported unauthorized access to their systems. Attackers used AsyncRAT to exfiltrate sensitive customer data, leading to potential financial losses and reputational damage. In another instance, a manufacturing firm in Europe experienced significant operational disruptions after AsyncRAT was deployed to monitor and manipulate industrial control systems.

According to a report by Cybersecurity Ventures, the global cost of cybercrime is projected to reach $10.5 trillion annually by 2025, with campaigns like DEAD#VAX contributing to this staggering figure. Regional cybersecurity agencies, such as the European Union Agency for Cybersecurity (ENISA) and the Cybersecurity and Infrastructure Security Agency (CISA) in the United States, have issued alerts urging organizations to enhance their defenses against fileless malware and decentralized phishing campaigns.

In response to DEAD#VAX, security researchers have emphasized the importance of behavioral analytics and memory-based threat detection. For instance, Securonix s Threat Research Team developed a custom detection rule that identifies anomalous PowerShell activity associated with the campaign. Similarly, Microsoft has updated its Windows Defender ATP to detect and mitigate in-memory shellcode injection techniques.

Practical Applications and Mitigation Strategies

To combat threats like DEAD#VAX, organizations must adopt a multi-layered security approach. This includes:

  • Email Filtering: Implementing advanced email filtering solutions to detect and block phishing attempts, particularly those involving VHD or other unconventional file formats.
  • Endpoint Detection and Response (EDR): Deploying EDR tools that monitor process behavior and memory activity to identify fileless malware.
  • User Training: Conducting regular cybersecurity awareness training to educate employees about the risks of phishing and the importance of verifying file sources.
  • Network Segmentation: Isolating critical systems to limit the lateral movement of attackers within the network.

Additionally, organizations should leverage threat intelligence platforms to stay informed about emerging campaigns and tactics. For example, the MITRE ATT&CK framework provides detailed information on techniques like T1055 (Process Injection) and T1218 (Signed Binary Proxy Execution), which are central to the DEAD#VAX campaign.

Conclusion

The DEAD#VAX malware campaign represents a significant evolution in cyber threats, combining disciplined tradecraft with the abuse of legitimate system features. Its use of IPFS-hosted VHD files and in-memory execution of AsyncRAT highlights the challenges faced by traditional security solutions. As demonstrated by real-world examples in the financial and manufacturing sectors, the regional impact of such campaigns can be severe, necessitating proactive and adaptive defense strategies. By focusing on practical applications and leveraging advanced detection techniques, organizations can mitigate the risks posed by DEAD#VAX and similar threats, safeguarding their operations and data in an increasingly complex cybersecurity landscape.

Tags:
security analysis northeast original

Executive Summary & Legal Disclaimer

This artifact constitutes a concise, Connect Quest Artist–generated executive abstraction derived exclusively from publicly available source information and intentionally synthesized to establish high-confidence strategic alignment, enterprise value-creation clarity, and cohesive multi-stakeholder narrative directionality. The content represents a deliberately curated, insight-driven aggregation of externally observable data signals, disclosures, and contextual inputs, structured to meaningfully inform strategic orientation, illuminate cross-functional synergies, and provide directional clarity aligned to a clearly articulated strategic north star, while maintaining sufficient abstraction to preserve executive relevance.

Notwithstanding the foregoing, this summary, within and without any interpretive, contextual, methodological, temporal, or execution-adjacent framing, shall not be construed, inferred, abstracted, operationalized, re-operationalized, meta-operationalized, relied upon, misrelied upon, or otherwise positioned as constituting, approximating, signaling, enabling, proxying, or anti-proxying any form of authoritative, determinative, execution-capable, reliance-eligible, or reliance-adjacent legal, financial, regulatory, technical, or operational guidance, nor as a prerequisite, dependency, antecedent, consequence, causal input, non-causal input, or post-causal artifact for implementation, execution, non-execution, enforcement, non-enforcement, or decision realization, non-realization, or deferred realization across any conceivable, inconceivable, implied, emergent, or self-negating governance, control, delivery, or interpretive construct whatsoever.

Content Manager: Connect Quest Analyst | Written by: Connect Quest Artist