Security researchers warn about a new bizarrely complex phishing campaign. Hackers, to bypass security protections, send scam emails with fake PDFs hosted on decentralized networks – once downloaded, they mount entire virtual drives filled with malicious content.
Securonix researchers detailed a scam campaign that sets new standards for evasion and complexity.
On the surface, it appears similar to many other scams: victims who fall for phishing emails download fake PDFs. But contrary to attaching some malicious archive or executable, this campaign hosts malicious files on the infrastructure InterPlanetary File System (IPFS). IPDS is a peer-to-peer storage system.
From there, the victims download a Virtual Hard Disk (VHD) file masquerading as a PDF or a Word document. When they try to open it, Windows natively mounts the file as a new logical drive. This allows bypassing Windows’ standard security warnings – the files inside the fake drive are not marked as untrusted, unlike other files downloaded from the internet.
And the contents of the virtual drive are nasty – heavily obfuscated batch scripts and self-parsing PowerShell loaders, which ultimately deliver an encrypted malware AsyncRAT, executed entirely in the memory without relying on storing data on the disk.
This trojan allows attackers to take remote control of a user’s computer.
“By chaining trusted file formats, layered scripting, and in-memory execution, the attackers effectively sidestep many traditional controls while maintaining stealth and resilience,” the Securonix researchers said in a detailed report on the phishing campaign dubbed DeadVax.
Malwarebytes warns that this infection chain, while long, looks legitimate enough to slip past casual checks.
“Open the wrong ‘invoice’ or ‘purchase order’ and you won’t see a document at all. Instead, Windows mounts a virtual drive that quietly installs AsyncRAT,” Malwarebytes confirmed in the blog post. “While traditional file‑based defenses see almost nothing suspicious on disk.”
The whole attack chain is extremely complicated
Phishing emails themselves can be very convincing and highly targeted. In the attacks observed in the wild, hackers impersonated Progressive Components (procoms.com), a legitimate global company providing tooling components.
“The ‘From’ name in the email is displayed as ‘Progressive Purchasing’ and the email header shows a double address format: ‘purchasing@procoms[.]com’, ‘purchase@mingyitc[.]com.’ The attacker spoofs procoms.com via display name, but the actual sending domain is likely the compromised or malicious mingyitc.com,” Securonix report reads.
The phishing email contains a download link that appears to be a PDF file, however, it goes to IPFS decentralized file hosting, bypassing email attachment scanning.
VirusTotal showed zero detections for VHD files delivered via these emails.
“When you download a VHD file, the VHD file itself gets the mark of the web. However, when the user double clicks the VHD file to mount it, Windows mounts it as a new logical drive. The file system inside the VHD is treated as a separate volume and the files inside the VHD file do not inherit the mark of the web from the container. To the operating system, they appear as local files residing on a local disk,” the researchers warned.
The mounted drive only contains a small file pretending to be “PurchaseOrder.” But it is a Windows Script File (WSF). Hackers hope that the .wsf extension at the end of the long file name will be hidden or ignored by the users.
The heavily obfuscated malicious script reconstructs and decrypts itself. It then runs another heavily obfuscated script (Batch file), which checks for admin privileges, gathers system information, and verifies it’s not running in a virtual machine.
The script terminates immediately if it detects a sandbox environment. For actual victims, it runs a hidden payload, which again needs to be reconstructed using a steganography-like technique, and saved as a fake “windows.dll” file for later decryption.
Another command decrypts the loader from the “windows.dll,” which is another PowerShell script executed in memory, used for process injection and persistence. It’s designed to operate as a long-lived loader rather than a simple dropper. It establishes persistence by creating a hidden scheduled task that runs at login.
And there are multiple more steps before retrieving and injecting the AsyncRAT, the final payload. This RAT allows attackers to issue commands and receive results in real time without interrupting normal computer use.
“AsyncRAT includes a broad range of surveillance and data collection capabilities. Keylogging functionality captures keystrokes at the operating system level, allowing attackers to harvest credentials, chat messages, and sensitive user input,” the report details.
“Screen capture and webcam access provide real-time visual monitoring of user activity, enabling credential theft, reconnaissance of internal applications, and direct observation of sensitive workflows.”
The researchers believe that the fileless hacking campaign is not opportunistic, but a deliberate, full-featured, sophisticated remote access operation.
“The sophistication of the delivery chain, combined with AsyncRAT’s capabilities, underscores the threat posed by script-based, multi-stage attacks and highlights the need for memory-level monitoring, behavioral detection, and cross-stage correlation in modern defensive strategies,” the researchers said.
How to stay safe?
Falling for this scam can lead to credential theft, including email, banking, and social media account compromise, data exfiltration and exposure, surveillance over prolonged periods of time, and the use machine as a proxy for other cyberattacks in the same or external networks.
“This campaign strategically utilizes Virtual Hard Disk (VHD) files hosted on IPFS infrastructure to bypass email gateway filters. Maintain an extra sense of vigilance regarding unsolicited emails containing disk image attachments such as .VHD, .ISO, or .IMG,” Securonix researchers suggest.
Users should avoid clicking on suspicious links and running files downloaded from unknown sources.
Malwarebytes warns that this malware is hard to detect, and users should avoid opening email attachments until they are verified with a trusted source.
“Make sure you can see the actual file extensions. Unfortunately, Windows allows users to hide them. So, when in reality the file would be called invoice.pdf.vhd the user would only see invoice.pdf,” the security firm suggests.
Using an up-to-date, real-time security solution might help detect malware running in memory.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked