Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
The DEAD#VAX campaign represents a sophisticated malware distribution operation that combines advanced social engineering tactics with innovative technical evasion techniques to deploy AsyncRAT remote access trojan on victim systems worldwide. This attack campaign leverages InterPlanetary File System (IPFS) decentralized storage infrastructure to host malicious payloads, making traditional URL-based blocking and takedown efforts significantly more challenging. The threat actors behind DEAD#VAX employ carefully crafted phishing emails masquerading as legitimate business communications from Progressive Components, a recognized global supplier of tooling components, to establish initial trust and credibility with targeted victims.
The DEAD#VAX attack methodology demonstrates sophisticated understanding of both social engineering principles and technical security controls. The phishing emails incorporate multiple deception techniques including display name spoofing, deceptive sender addresses, urgency manipulation through time-sensitive business requests, and fake security scan banners claiming “Virus scan completed. No threats detected” to reduce victim suspicion. Rather than distributing traditional malicious attachments, the campaign directs victims to download Virtual Hard Disk (VHD) files hosted on IPFS infrastructure, representing an innovative approach to payload delivery that bypasses many conventional security controls.
The technical execution chain demonstrates multiple layers of obfuscation and evasion designed to circumvent security technologies and evade detection by sandbox analysis environments. When victims mount the VHD file, Windows automatically treats the virtual drive contents as trusted, effectively bypassing Mark-of-the-Web security protections that normally flag downloaded files as potentially dangerous. The malware deployment involves disguised Windows Script Files with double extensions, heavily obfuscated batch scripts incorporating anti-virtualization checks, multi-layer payload deobfuscation involving Base64 encoding and XOR encryption, PowerShell-based loaders establishing persistence through hidden scheduled tasks, process injection into legitimate Microsoft-signed executables, and ultimately memory-resident AsyncRAT deployment that leaves minimal forensic artifacts on disk.
The final AsyncRAT payload provides attackers with comprehensive remote access capabilities including keylogging to capture credentials and sensitive information, screen and webcam capture for surveillance, clipboard monitoring to intercept copied data, complete file system access for data theft, remote command execution for lateral movement, and long-term persistence mechanisms for sustained access. By operating entirely in memory as encrypted shellcode, the malware significantly complicates detection and forensic analysis efforts, representing a sophisticated threat to organizations worldwide.
The DEAD#VAX campaign begins with a carefully crafted phishing email masquerading as a legitimate business communication from Progressive Components, a well-known global supplier of tooling components used in manufacturing industries. The email is sent under the display name “Progressive Purchasing” and employs a deceptive double-address format where the visible sender name appears trustworthy while the actual routing domain is suspicious or compromised. The message content creates a sense of urgency by framing the email as a time-sensitive business-related request requiring a response within two days, a common social engineering tactic designed to pressure victims into acting quickly without conducting thorough scrutiny.
To further reduce victim suspicion and overcome natural security awareness, the phishing email includes a fake security banner displaying the message “Virus scan completed. No threats detected,” falsely suggesting that the content has been validated by security controls. Victims are then prompted to download what appears to be a standard PDF document containing purchase order information or similar business content. However, the file is actually a Virtual Hard Disk (VHD) file hosted through IPFS infrastructure rather than traditional web hosting, allowing attackers to distribute payloads via decentralized storage that is significantly more difficult to takedown or block compared to conventional hosting services.
Once the victim downloads and opens the VHD file, Windows automatically mounts it as a virtual drive letter, making the contents accessible through Windows Explorer just like any physical storage device. This mounting technique cleverly bypasses the Mark-of-the-Web (MOTW) security control, which is a critical Windows security feature that tags files downloaded from the internet as potentially untrusted and triggers additional security warnings when users attempt to execute them. Files contained within the mounted VHD do not inherit the untrusted MOTW status, effectively circumventing this important security protection and allowing malicious content to execute without triggering standard security warnings.
Inside the mounted virtual drive, victims encounter a Windows Script File (WSF) that has been disguised using a double extension technique to appear as a harmless PDF document. When the victim double-clicks what they believe is a PDF file, the Windows Script File executes instead, launching a heavily obfuscated batch script. This batch script immediately begins performing environmental checks designed to detect virtualized environments, sandbox analysis systems, and security research tools. The malware verifies administrative privileges, detects virtualized hardware indicators, checks system memory configurations to identify sandbox environments that typically allocate minimal resources, and performs timing analysis to detect automated analysis systems.
After successfully passing environmental validation checks, the malicious batch script copies itself to a persistent location on the system and leverages PowerShell to parse its own content, extracting hidden payload data that has been embedded within specific lines of the script file. This self-extracting technique allows the malware to carry its payload without requiring additional file downloads that might be detected by network security monitoring. The hidden payload undergoes several sophisticated layers of deobfuscation before it can be executed, representing a significant barrier to automated security analysis.
The deobfuscation process involves multiple sequential transformations including removal of Unicode noise characters inserted to break pattern-matching signatures, Base64 decoding of encoded binary content, XOR-based decryption using embedded keys to decrypt the actual payload, and character shifting operations to reverse obfuscation transformations. The final decrypted result is a PowerShell-based loader component responsible for establishing persistence mechanisms and preparing for process injection. This loader establishes stealthy persistence through hidden scheduled tasks that execute at system startup or user logon, VBScript launchers that provide an additional layer of indirection, and registry modifications that ensure malware execution across system reboots.
The PowerShell loader prepares to inject malicious code into trusted Microsoft-signed processes including RuntimeBroker.exe (a legitimate Windows process broker), OneDrive.exe (Microsoft’s cloud storage client), taskhostw.exe (Windows Task Host process), and sihost.exe (Shell Infrastructure Host). By injecting into these legitimate and commonly running processes, the malware activity blends into normal system operations, making detection significantly more challenging for security monitoring tools that whitelist known-good Microsoft processes.
The injection process follows a well-established pattern leveraging Windows API functions including OpenProcess to obtain a handle to the target process, VirtualAllocEx to allocate memory within the target process address space, WriteProcessMemory to write malicious shellcode into the allocated memory, and CreateRemoteThread to execute the injected code within the context of the legitimate process. To avoid reinfecting processes that have already been compromised, the malware scans target process memory for a specific marker sequence before attempting injection, demonstrating sophisticated operational awareness.
The final payload delivered through this multi-stage infection chain is AsyncRAT, an open-source remote access trojan that grants attackers extensive control over compromised machines. AsyncRAT capabilities include comprehensive keylogging to capture credentials, sensitive information, and user communications; screen capture and webcam access for surveillance operations; clipboard monitoring to intercept copied passwords, cryptocurrency addresses, and other sensitive data; complete file system access enabling data theft and manipulation; remote command execution allowing attackers to run arbitrary commands and deploy additional tools; and robust persistence mechanisms ensuring long-term access even after system reboots. Critically, the AsyncRAT payload operates entirely in memory as encrypted shellcode, never appearing on disk in a recognizable form, making traditional file-based detection approaches ineffective and significantly complicating forensic analysis efforts.
Organizations must configure network firewalls, web proxies, and DNS security controls to block or generate alerts on connections to IPFS gateway domains including w3s.link, ipfs.io, and similar decentralized storage gateways that are increasingly abused for malware hosting. While IPFS technology has legitimate uses for decentralized content distribution, the difficulty of content moderation and takedown makes these platforms attractive for threat actors seeking to maintain persistent payload distribution infrastructure. Security teams should implement web filtering policies that block access to known IPFS gateways while establishing exception processes for legitimate business requirements.
Organizations should implement Group Policy settings or Microsoft Endpoint Configuration Manager policies to prevent automatic mounting of VHD, VHDX, ISO, and IMG files, or alternatively require elevated administrative privileges for mounting operations. This mitigation directly addresses the Mark-of-the-Web bypass technique employed by DEAD#VAX, which relies on automatic VHD mounting to circumvent security warnings. Security administrators should evaluate business requirements for virtual disk mounting capabilities and implement the most restrictive policy consistent with operational needs.
Organizations must ensure that file extension visibility is enabled for all users across the enterprise to help identify disguised files using double extension techniques such as “filename.pdf.wsf” that appear as “filename.pdf” when extensions are hidden. This simple configuration change significantly reduces the effectiveness of file extension spoofing techniques that rely on user interface defaults hiding file extensions. Security administrators should implement Group Policy settings to force-enable file extension display and disable the “Hide extensions for known file types” option across all endpoints.
Organizations should implement Sysmon or equivalent endpoint detection and response capabilities configured to monitor for Windows API calls associated with process injection techniques. Specific detection rules should alert on VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, and OpenProcess API calls with suspicious access flags or targeting sensitive processes. Security operations centers should establish baseline behaviors for legitimate process interactions and investigate anomalous process injection activity, particularly when initiated by script interpreters or involving Microsoft-signed processes as injection targets.
Email security gateways should be configured to block or quarantine emails containing links to IPFS gateways and to flag messages exhibiting urgency manipulation language combined with external download links. Security teams should implement advanced content analysis capabilities that examine email message structure, sender reputation, link destinations, and social engineering indicators. Organizations should establish user education programs teaching employees to recognize phishing tactics including fake security banners, urgency manipulation, sender address spoofing, and requests to download files from unfamiliar locations.
Security operations centers should implement detection rules that alert on newly created scheduled tasks executing wscript.exe, cscript.exe, PowerShell, or other script interpreters, particularly when scheduled tasks have randomized names, suspicious naming conventions, or execute content from user profile directories. Organizations should establish baseline inventories of legitimate scheduled tasks and investigate any deviations from expected configurations. Scheduled task monitoring provides critical visibility into persistence mechanisms employed by malware including AsyncRAT loaders deployed through DEAD#VAX campaigns.
The DEAD#VAX campaign demonstrates sophisticated adversary tradecraft mapped to multiple MITRE ATT&CK tactics and techniques:
Initial Access: T1566.001 (Spearphishing Attachment), T1566.002 (Spearphishing Link) – The campaign employs phishing emails with links to IPFS-hosted VHD files that function as malicious attachments.
Execution: T1059.001 (PowerShell), T1059.003 (Windows Command Shell), T1059.005 (Visual Basic), T1059.007 (JavaScript) – The attack chain leverages multiple scripting interpreters including Windows Script Files, batch files, PowerShell, and VBScript for multi-stage execution.
Persistence: T1053.005 (Scheduled Task) – The malware establishes persistence through hidden scheduled tasks that execute malicious scripts at system startup or user logon.
Defense Evasion: T1027.002 (Software Packing), T1140 (Deobfuscate/Decode Files or Information), T1218 (System Binary Proxy Execution), T1497.001 (Virtualization/Sandbox Evasion via System Checks), T1055 (Process Injection) – Multiple evasion techniques including obfuscation, multi-layer deobfuscation, Mark-of-the-Web bypass through VHD mounting, anti-virtualization checks, and process injection into legitimate processes.
Credential Access: T1056.001 (Keylogging) – AsyncRAT includes comprehensive keylogging capabilities to capture credentials and sensitive information.
Discovery: T1082 (System Information Discovery) – The malware collects system information including hardware configuration, memory availability, and virtualization indicators.
Collection: T1113 (Screen Capture), T1125 (Video Capture), T1115 (Clipboard Data) – AsyncRAT provides surveillance capabilities including screen capture, webcam access, and clipboard monitoring.
Command and Control: T1071.001 (Web Protocols), T1573 (Encrypted Channel) – The malware communicates with command-and-control infrastructure using encrypted HTTPS communications.
Exfiltration: T1041 (Exfiltration Over C2 Channel) – Stolen data is exfiltrated through the established command-and-control channel.
Impact: T1565.001 (Stored Data Manipulation) – AsyncRAT capabilities include the ability to modify or delete files on compromised systems.
The DEAD#VAX campaign involved multiple malicious file samples identified through security research and incident response activities. Organizations should integrate the provided SHA256 hash values into endpoint detection and response platforms, antivirus solutions, threat intelligence feeds, and security information and event management systems to identify potentially compromised systems. These hashes represent various components of the attack chain including VHD container files, obfuscated script files, PowerShell loaders, and AsyncRAT payloads.
The campaign utilized the domain mingyitc.com as part of its command-and-control infrastructure. Organizations should block network communications to this domain at firewall, DNS, and web proxy levels. Security teams should review historical network traffic logs, DNS query records, and proxy logs for evidence of connections to this domain, which may indicate compromised systems requiring investigation and remediation.
The campaign distributed malicious VHD files through IPFS infrastructure using specific gateway URLs. The documented malicious URL hosted on the w3s.link IPFS gateway contained a VHD file disguised as a purchase order document from Progressive Components. Organizations should search proxy logs and endpoint browser history for connections to the documented malicious URL and should implement blocking of IPFS gateway domains to prevent future payload downloads.
https://www.securonix.com/blog/deadvax-threat-research-security-advisory/
Get through updates and upcoming events, and more directly in your inbox