DEADVAX The VHDs attack on IPFS to deploy AsyncrAT and operate in memory

A new malware operation has again shown how attackers combine technical ingenuity with the abuse of legitimate system functions to go unnoticed. Securonix researchers have described a sophisticated campaign, baptized as DEAD # VAX, which uses virtual disk (VHD) images hosted in the IPFS decentralized network and a phased running chain to deploy the remote access Trojan known as Asyncrat. To read the original technical report, you can see the note from Securonix Here..

The infection is part of a phishing mail with a file that appears to be a purchase order in PDF format, but is actually a VHD hosted in IPFS. When the victim double-click, the file is mounted as a drive, presenting into a Windows Script File (WSF) script file. This use of VHD as a container is notable because it takes advantage of a legitimate Windows mechanism to bypass controls that analyze conventional files; the distributed IPFS computer makes it easier for malicious actors to distribute loads without passing through traditional servers that could be blocked or tracked. If you want to understand how IPFS works and why it is being used in these contexts, official documentation is a good starting point: ipfs.io.

Within the mounted unit there is a WSF that, when run by the user's error, launches a series of opused components: extremely masked batch scripts, a self-analyzing PowerShell charger and, finally, a x64-encrypted shellcode. The important thing here is that the payload is not recorded in the form of an executable disk; instead, the code is decoupled in memory and injected into legitimate Windows processes, such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe or sihost.ex. This memory execution technique drastically reduces forensic evidence and complicates the detection by traditional solutions based on static file signatures.

The persistence mechanism also seeks mymetism with the system: the attackers use programmed tasks to achieve persistent rebeginnings and a PowerShell module acts as an engine of execution in memory, validating the environment, decrypt embedded fragments and orchestrating the injection within processes signed by Microsoft. In addition, malware regulates its own temporary behavior using breaks and throttling to reduce CPU use and avoid API patterns that fire alerts. This mixture of execution controls and living-off-the-land makes each piece, isolated, seem harmless, but together forms a robust and difficult to track attack flow.

AsyncrAT, the final payload used by the attackers, is a publicly accessible code project that provides remote control features on a committed computer: keyboard and screen capture, camera access, clipboard monitoring, file system handling and remote command execution, among other capabilities. The existence of open versions facilitates its reuse by actors with different motivations; the project page is available on GitHub for those who want to review it: Asyncrat in GitHub.

For defenders and administrators, the paradigm shift is evident: it is no longer enough to control the arrival of executables. The visibility of memory behaviour should be strengthened, process and process-building process injections and chains monitored, scheduled tasks audited and unusual connections aimed at decentralized infrastructure or IPFS public gateways monitored. Microsoft documents commands and procedures related to virtual disk management on Windows, which can help you understand why VHD are mounted and how to audit their use: Attach-VHD (Microsoft Docs). It is also recommended to review the guidelines and best practices on memory threats and phileless techniques published by security providers and official agencies to adapt the defenses.

Securonix's observation highlights a trend already known in the cybersecurity industry: the preference of the attackers for multiple-stage pipelines that chain seemingly legitimate components and for execution without leaving artifacts on disk. This approach raises the barrier to forensic detection and analysis, and forces response teams to modernise, not only with smarter signatures but with behaviour telemetry, process isolation and control over the use of scripts and administrative tools. Firms remain useful, but visibility in execution time and contextual correlation are increasingly critical.

In short, DEAD # VAX is a reminder that adversaries continue to search and exploit blind points in corporate environments: they combine legitimate containers such as VHD, distributed networks such as IPFS, ofussing techniques and memory execution to deliver a load that can operate for a long time without being detected. The response does not go through a single measure, but through an in-depth defence strategy that includes scripts control, implementation policies, process monitoring, behavior analysis and good operational hygiene. In addition to the report by Securonix, it is appropriate to review threat analysis and incident response resources in specialized media and in official security repositories in order to follow up the investigations.

If you manage the security of endpoints or infrastructure, it raises controls that restrict the execution of unsigned scripts, record and alert on unexpected disk image mounts and allow to block or investigate communications to unapproved nodes and walkways. The Securonix note provides useful technical details and is a good starting point for adapting the detections: full report. And to better understand the broader phenomenon of threats that operate mainly in memory, the security analyses of large suppliers such as Microsoft provide context and practical recommendations on defense against phileless techniques: Microsoft Security Blog.