The Caminho loader is a newly identified Brazilian malware loader active since March 2025, notable for its use of Least Significant Bit (LSB) steganography to conceal .NET payloads within image files hosted on legitimate platforms, complicating detection. The infection chain begins with phishing emails containing malicious scripts that download these steganographic images. Once downloaded, Caminho extracts the hidden payloads and executes them directly in memory, employing fileless execution techniques to avoid writing malicious files to disk, thereby evading traditional antivirus detection. Persistence is achieved through scheduled tasks (T1053.005), allowing the malware to maintain foothold after reboots. The loader delivers multiple malware families, including Remcos RAT, Xworm, and Katz stealer, which facilitate remote access, credential theft, and further system compromise. Analysis reveals Portuguese language artifacts and consistent operational patterns, suggesting a Loader-as-a-Service (LaaS) business model, enabling multiple threat actors to leverage Caminho infrastructure. The campaign uses bulletproof hosting services for command and control (C2) communication, enhancing resilience against takedown efforts. Targeting is opportunistic across multiple industries and geographies, with active infections reported in South America, Africa, and Eastern Europe. The malware employs various MITRE ATT&CK techniques such as obfuscated files or information (T1027.003), user execution via phishing (T1204.002), and remote file copy (T1105). The use of steganography and fileless execution complicates detection and response, requiring advanced threat hunting and memory analysis capabilities. No known public exploits exist, but the loader’s modular design and LaaS model suggest ongoing evolution and potential expansion of capabilities.

For European organizations, particularly those in Eastern Europe, the Caminho loader represents a significant threat due to its ability to deliver multiple malware families capable of credential theft, espionage, and remote access. The fileless execution and steganographic payload delivery reduce the likelihood of detection by traditional endpoint security solutions, increasing the risk of prolonged undetected presence. Compromise can lead to data breaches, intellectual property theft, disruption of operations, and potential lateral movement within networks. The opportunistic targeting means a wide range of industries could be affected, including finance, manufacturing, and government sectors. The use of bulletproof hosting and LaaS model complicates attribution and takedown efforts, potentially prolonging campaigns. The persistence mechanism via scheduled tasks allows the malware to survive system reboots, increasing the difficulty of eradication. Additionally, the presence of Portuguese language artifacts and Brazilian origin may indicate targeting of organizations with business ties to Brazil or Portuguese-speaking regions, but the spread to Eastern Europe suggests broader geopolitical or cybercrime motivations. Overall, the threat could undermine confidentiality, integrity, and availability of critical systems and data within European enterprises.

European organizations should implement advanced email security solutions capable of detecting and blocking phishing emails with malicious scripts. Deploy endpoint detection and response (EDR) tools with memory scanning capabilities to identify fileless execution behaviors and anomalous scheduled task creation. Monitor network traffic for connections to known bulletproof hosting providers and unusual outbound communications. Employ steganography detection tools or heuristic analysis to identify suspicious image files, especially those downloaded from email attachments or untrusted sources. Conduct regular threat hunting exercises focusing on indicators of persistence such as scheduled tasks and anomalous process executions. Enforce strict application whitelisting and restrict execution of scripts from email or temporary directories. Enhance user awareness training to reduce susceptibility to phishing attacks. Collaborate with threat intelligence providers to stay updated on emerging indicators related to Caminho loader campaigns. Finally, implement network segmentation to limit lateral movement and contain potential infections.