The DEAD#VAX malware campaign represents a highly stealthy and sophisticated attack vector that leverages a combination of social engineering, fileless malware techniques, and abuse of legitimate Windows features to deploy the AsyncRAT remote access trojan. The infection begins with a phishing email delivering a Virtual Hard Disk (VHD) file hosted on the decentralized InterPlanetary Filesystem (IPFS), disguised as a PDF purchase order to deceive targets. When the victim opens the file, it mounts as a virtual drive (e.g., E:\) containing a Windows Script File (WSF). Execution of this script triggers a heavily obfuscated batch script that performs environment checks to evade sandbox and virtual machine detection and verifies sufficient privileges. Upon passing these checks, a PowerShell loader decrypts and injects the AsyncRAT payload as shellcode directly into trusted Microsoft-signed Windows processes such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, and sihost.exe. This in-memory execution model avoids writing malicious binaries to disk, significantly reducing forensic artifacts and detection by traditional antivirus and endpoint detection and response (EDR) solutions. The malware also implements execution throttling and sleep intervals to minimize CPU usage and evade behavioral detection. AsyncRAT provides attackers with extensive control over compromised systems, including keylogging, screen and webcam capture, clipboard monitoring, file system access, remote command execution, and persistence mechanisms via scheduled tasks. The campaign’s use of IPFS for hosting payloads adds a decentralized layer that complicates takedown efforts. Overall, DEAD#VAX exemplifies modern malware trends that rely on multi-stage, fileless, and memory-resident techniques combined with legitimate system processes to maintain stealth and persistence.

For European organizations, the DEAD#VAX campaign poses a significant threat due to its stealthy nature and ability to bypass traditional security controls. The use of phishing emails with convincing purchase order lures increases the likelihood of initial compromise, especially in sectors with frequent procurement communications. Once inside, AsyncRAT’s capabilities allow attackers to conduct extensive surveillance, data exfiltration, and remote control, potentially leading to intellectual property theft, espionage, and disruption of business operations. The fileless execution and injection into trusted processes complicate detection and incident response, increasing dwell time and the risk of widespread lateral movement within networks. Organizations handling sensitive or regulated data, such as financial institutions, healthcare providers, and critical infrastructure operators, face heightened risks of compliance violations and reputational damage. The decentralized hosting of payloads on IPFS also challenges traditional network defense mechanisms, requiring advanced threat hunting and monitoring capabilities. Overall, the campaign could enable persistent, covert access to European enterprise environments, facilitating espionage, data theft, and potentially enabling follow-on ransomware or sabotage attacks.

European organizations should implement multi-layered defenses tailored to detect and disrupt fileless and script-based attacks. Specific recommendations include: 1) Enhance email security with advanced phishing detection and sandboxing that can analyze VHD files and scripts, including those hosted on decentralized networks like IPFS. 2) Deploy endpoint detection solutions capable of monitoring in-memory execution, PowerShell activity, and injection into trusted Windows processes, with behavioral analytics to identify anomalies such as unusual process injections and execution throttling patterns. 3) Restrict execution of Windows Script Files (WSF), batch scripts, and PowerShell scripts through application control policies and enable PowerShell logging with script block logging and transcription for forensic visibility. 4) Implement network monitoring to detect IPFS traffic or connections to decentralized storage nodes, which are uncommon in enterprise environments. 5) Harden user privileges to limit script execution and prevent unauthorized persistence mechanisms like scheduled tasks. 6) Conduct regular phishing awareness training emphasizing the risks of opening unexpected attachments, especially those masquerading as PDFs but with unusual file extensions or behaviors. 7) Employ threat hunting exercises focused on identifying signs of AsyncRAT activity, such as keylogging artifacts, unusual process behaviors, and persistence mechanisms. 8) Maintain up-to-date threat intelligence feeds to quickly identify emerging indicators related to DEAD#VAX and AsyncRAT campaigns. 9) Consider network segmentation and zero trust principles to limit lateral movement if compromise occurs. 10) Prepare incident response plans specifically addressing fileless malware and memory-resident threats to enable rapid containment and remediation.