BACK TO NEWS
Breaking News

DEAD#VAX Campaign Exploits IPFS and Obfuscation to Deliver AsyncRAT

2 min readSource: The Hacker News

Threat actors behind DEAD#VAX use IPFS-hosted VHD files, script obfuscation, and memory-based tactics to evade detection and deploy AsyncRAT in targeted attacks.

Sophisticated DEAD#VAX Malware Campaign Targets Organizations with AsyncRAT

Security researchers have uncovered a stealthy malware campaign, DEAD#VAX, which employs a combination of IPFS-hosted VHD files, advanced script obfuscation, and in-memory execution to bypass traditional security defenses and deploy AsyncRAT (Remote Access Trojan). The campaign demonstrates disciplined tradecraft and abuse of legitimate system features to evade detection.

Technical Breakdown of the Attack Chain

The DEAD#VAX campaign leverages multiple evasion techniques to avoid detection:

  • IPFS-Hosted Malicious Payloads: Threat actors distribute Virtual Hard Disk (VHD) files via the InterPlanetary File System (IPFS), a decentralized storage network that complicates takedown efforts.
  • Extreme Script Obfuscation: Attackers use heavily obfuscated scripts to conceal malicious code, making static analysis difficult.
  • Runtime Decryption & In-Memory Execution: Malware components are decrypted at runtime and executed in memory, avoiding disk-based detection mechanisms.
  • AsyncRAT Deployment: The final payload is AsyncRAT, a widely used open-source RAT capable of remote control, data exfiltration, and persistence.

Impact and Detection Challenges

The use of IPFS for hosting malicious files presents a significant challenge for defenders, as traditional domain-based blocking methods are ineffective. Additionally, the campaign’s reliance on in-memory execution and obfuscation makes it harder for endpoint detection and response (EDR) solutions to identify malicious activity.

Security teams should monitor for:

  • Unusual VHD file downloads from IPFS gateways
  • Suspicious PowerShell or script-based execution
  • Network connections to known AsyncRAT command-and-control (C2) servers

Mitigation and Response Recommendations

Organizations can reduce risk by implementing the following measures:

  • Restrict IPFS Gateway Access: Block or monitor access to known IPFS gateways unless explicitly required.
  • Enhance Script Monitoring: Deploy advanced behavioral analysis to detect obfuscated scripts and in-memory execution.
  • Endpoint Protection: Ensure EDR/XDR solutions are configured to detect AsyncRAT and similar RATs.
  • User Awareness Training: Educate employees on phishing risks, particularly those involving unusual file types (e.g., VHD).

Researchers continue to analyze the campaign for additional indicators of compromise (IOCs). Security teams are advised to stay updated on emerging threats and adjust defenses accordingly.

Share

TwitterLinkedIn