DEAD#VAX Campaign Leverage VHD Abuse for Fileless AsyncRAT Deployment

A sophisticated malware campaign has been identified that employs an uncommon chain of attack techniques, including VHD file abuse, script-based execution, self-parsing batch logic, fileless PowerShell injections, and ultimately deploys a Remote Access Trojan (RAT). The attack leverages IPFS-hosted VHD files, extreme script obfuscation, runtime decryption, and in-memory shellcode injection into trusted Windows processes, never dropping a decrypted binary to disk . Modern malware campaigns increasingly rely on trusted file formats, script abuse, and memory-resident execution to bypass traditional security controls.
The infection chain begins with a phishing email delivering a Virtual Hard Disk (VHD) hosted on IPFS infrastructure and progresses through a sequence of Windows Script Files (WSF), heavily obfuscated batch scripts, and self-parsing PowerShell loaders. The final payload is delivered as encrypted x64 shellcode, which is injected directly into trusted Windows processes and executed entirely in memory—without ever dropping a decrypted executable to disk . Malware authors package payloads inside container formats like VHD or image files to bypass the mark-of-the-web (MotW). When a VHD file is downloaded, the VHD file itself gets the mark of the web, but when the user double clicks the VHD file to mount it, the file system inside the VHD is treated as a separate volume and the files inside do not inherit the mark of the web from the container, appearing as local files residing on a local disk .
Execution flows through WSF, batch, and PowerShell scripts, avoiding traditional malware binaries during early stages. The batch stage employs environment variable explosion and reads its own contents to extract an encrypted payload. PowerShell strings are protected using a combination of Unicode junk insertion, Base64 encoding, rolling XOR decryption, and ROT-style character shifting, ensuring no meaningful indicators exist in cleartext. The final malware stage is stored as noise-polluted Base64 data, decoded into raw shellcode and never written to disk in decrypted form, with the loader injecting shellcode into trusted, Microsoft-signed processes using native Win32 APIs . Dynamic analysis confirmed that the shellcode deploys a fully functional AsyncRAT implant capable of long-term surveillance, data exfiltration, and follow-on attacks. Anti-sandbox checks, persistence rotation, execution throttling, and memory-only payloads collectively reduce detection and forensic visibility.