Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

The DEAD#VAX campaign is using phishing-delivered IPFS-hosted VHD files to deploy AsyncRAT, creating a stealthier path to fileless endpoint compromise. The chain relies on WSF, obfuscated batch scripts, and PowerShell loaders to evade detection and keep payloads out of sight. It injects the trojan into trusted Windows processes such as RuntimeBroker.exe and OneDrive.exe, making activity harder to spot and investigate. The result is a multi-stage intrusion flow designed to reduce forensic artifacts while preserving long-term access.

Related Happenings

Windows 11 BitLocker bypass YellowKey security flaw

Vulnerability
First: 14.05.2026 10:27 Last: 14.05.2026 10:27 Sources 1

About this happening: **YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...

Latest development: 20.05.2026 10:31

Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.

Open Happening

Filemanager backdoor delivered on compromised cPanel environments

Malware Activity
First: 11.05.2026 20:54 Last: 11.05.2026 20:54 Sources 1

About this happening: The **Filemanager** backdoor is being deployed on **compromised cPanel/WHM systems**, giving attackers **remote command execution** and shell access. It is delivered through a **s...

Open Happening

DEEP#DOOR Python backdoor framework

Malware Activity
First: 30.04.2026 15:36 Last: 30.04.2026 15:36 Sources 1

About this happening: **DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...

Open Happening

Windows Shell spoofing flaw actively exploited (CVE-2026-32202)

Vulnerability
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: **Microsoft** updated **Windows Shell** advisory guidance to confirm **CVE-2026-32202** was **actively exploited in the wild**, raising the risk of sensitive-information disclosur...

Open Happening

GopherWhisper Go-based malware toolkit with Slack, Discord, and Outlook C2

Malware Activity
First: 23.04.2026 15:06 Last: 23.04.2026 15:06 Sources 1

About this happening: The **GopherWhisper** malware set now combines **Go-based backdoors** and **exfiltration tools** that abuse **Slack**, **Discord**, **Microsoft 365 Outlook**, and **Microsoft Grap...

Open Happening

Timeline

  1. 04.02.2026 19:24 2 articles · 3mo ago

    Securonix discloses DEAD#VAX campaign delivering AsyncRAT

    Initial Disclosure

    Securonix threat hunters disclosed DEAD#VAX, a stealthy malware campaign that starts with phishing emails delivering IPFS-hosted VHD files disguised as purchase-order PDFs and continues through WSF, heavily obfuscated batch scripts, and self-parsing PowerShell loaders to deploy AsyncRAT as encrypted x64 shellcode. The payload is injected directly into trusted Windows processes such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, and sihost.exe, runs entirely in memory, and uses runtime decryption and sleep intervals to reduce detection and forensic artifacts.

    Show sources
    Open in new tab