DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
Campaign
Summary
Hide ▲
Show ▼
The DEAD#VAX campaign is using phishing-delivered IPFS-hosted VHD files to deploy AsyncRAT, creating a stealthier path to fileless endpoint compromise. The chain relies on WSF, obfuscated batch scripts, and PowerShell loaders to evade detection and keep payloads out of sight. It injects the trojan into trusted Windows processes such as RuntimeBroker.exe and OneDrive.exe, making activity harder to spot and investigate. The result is a multi-stage intrusion flow designed to reduce forensic artifacts while preserving long-term access.
Related Happenings
AI-generated PowerShell Active Directory reconnaissance script
Malware Activity
H score23
First: 09.07.2026 17:00
Last: 09.07.2026 17:00
Sources 1
About this happening:
An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
AI-generated PowerShell Active Directory reconnaissance script
Malware ActivityAbout this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
Veil#Drop PureLog Stealer in-memory delivery operation
Malware Activity
H score30
First: 01.07.2026 17:30
Last: 01.07.2026 17:30
Sources 1
About this happening:
**Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
Veil#Drop PureLog Stealer in-memory delivery operation
Malware ActivityAbout this happening: **Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware Activity
H score22
First: 30.06.2026 13:30
Last: 30.06.2026 13:30
Sources 1
About this happening:
The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware ActivityAbout this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware Activity
H score20
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware ActivityAbout this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
Campaign
H score32
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
CampaignAbout this happening: A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
Timeline
-
04.02.2026 19:24 2 articles · 5mo ago
Securonix discloses DEAD#VAX campaign delivering AsyncRAT
Initial DisclosureSecuronix threat hunters disclosed DEAD#VAX, a stealthy malware campaign that starts with phishing emails delivering IPFS-hosted VHD files disguised as purchase-order PDFs and continues through WSF, heavily obfuscated batch scripts, and self-parsing PowerShell loaders to deploy AsyncRAT as encrypted x64 shellcode. The payload is injected directly into trusted Windows processes such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, and sihost.exe, runs entirely in memory, and uses runtime decryption and sleep intervals to reduce detection and forensic artifacts.
Show sources
- DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files — thehackernews.com — 04.02.2026 19:24
- DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files — thehackernews.com — 04.02.2026 19:24