Inside the Fake Tech Support Scam Pipeline: How Spam Emails Are Becoming the Gateway to Remote Access Trojans A sophisticated fake tech support spam campaign is deploying remote access trojans thro...

#EnterpriseSecurity #AsyncRAT #corporate #cybersecurity […]

[Original post on webpronews.com]

🚨Threat hunters uncovered DEAD#VAX, a stealth malware campaign abusing Windows features to deploy AsyncRAT. Using phishing, IPFS-hosted VHD files, obfuscated scripts, and in-memory execution, it evades detection and forensic analysis. #Malware #AsyncRAT #CyberThreats #EDR #DEADVAX

Alert: The DEAD#VAX malware campaign employs IPFS-hosted VHD phishing files to deploy AsyncRAT, evading traditional detection methods. Stay vigilant! #PotatoSecurity #MalwareAlert #AsyncRAT Link: thedailytechfeed.com/deadvax-malw...

Alert: The DEAD#VAX malware campaign employs IPFS-hosted VHD phishing files to deploy AsyncRAT, evading traditional detection methods. Stay vigilant! #CyberSecurity #MalwareAlert #AsyncRAT Link: thedailytechfeed.com/deadvax-malw...

Cybercriminals behind a campaign dubbed DEAD#VAX are taking phishing one step further by delivering malware inside virtual hard disks that pretend to be ordinary PDF documents. Open the wrong “invoice” or “purchase order” and you won’t see a document at all. Instead, Windows mounts a virtual drive that quietly installs AsyncRAT, a backdoor Trojan that allows attackers to remotely monitor and control your computer. It’s a remote access tool, which means attackers gain remote hands‑on‑keyboard control, while traditional file‑based defenses see almost nothing suspicious on disk. From a high-level view, the infection chain is long, but every step looks just legitimate enough on its own to slip past casual checks. Victims receive phishing emails that look like routine business messages, often referencing purchase orders or invoices and sometimes impersonating real companies. The email doesn’t attach a document directly. Instead, it links to a file hosted on IPFS (InterPlanetary File System), a decentralized storage network increasingly abused in phishing campaigns because content is harder to take down and can be accessed through normal web gateways. The linked file is named as a PDF and has the PDF icon, but is actually a virtual hard disk (VHD) file. When the user double‑clicks it, Windows mounts it as a new drive (for example, drive E:) instead of opening a document viewer. Mounting VHDs is perfectly legitimate Windows behavior, which makes this step less likely to ring alarm bells. Inside the mounted drive is what appears to be the expected document, but it’s actually a Windows Script File (WSF). When the user opens it, Windows executes the code in the file instead of displaying a PDF. After some checks to avoid analysis and detection, the script injects the payload—AsyncRAT shellcode—into trusted, Microsoft‑signed processes such as `RuntimeBroker.exe`, `OneDrive.exe`, `taskhostw.exe`, or `sihost.exe`. The malware never writes an actual executable file to disk. It lives and runs entirely in memory inside these legitimate processes, making detection and eventually at a later stage, forensics much harder. It also avoids sudden spikes in activity or memory usage that could draw attention. For an individual user, falling for this phishing email can result in: * Theft of saved and typed passwords, including for email, banking, and social media. * Exposure of confidential documents, photos, or other sensitive files taken straight from the system. * Surveillance via periodic screenshots or, where configured, webcam capture. * Use of the machine as a foothold to attack other devices on the same home or office network. ## How to stay safe Because detection can be hard, it is crucial that users apply certain checks: * Don’t open email attachments until after verifying, with a trusted source, that they are legitimate. * Make sure you can see the actual file extensions. Unfortunately, Windows allows users to hide them. So, when in reality the file would be called `invoice.pdf.vhd` the user would only see `invoice.pdf`. To find out how to do this, see below. * Use an up-to-date, real-time anti-malware solution that can detect malware hiding in memory. ### Showing file extensions on Windows 10 and 11 To show file extensions in Windows 10 and 11: * Open Explorer (Windows key + E) * In Windows 10, select **View** and check the box for **File name extensions**. * In Windows 11, this is found under **View** > **Show** > **File name extensions**. Alternatively, search for **File Explorer Options** to uncheck **Hide extensions for known file types**. For older versions of Windows, refer to this article. * * * **We don’t just report on threats—we remove them** Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Open the wrong “PDF” and attackers gain remote access to your PC The DEAD#VAX campaign tricks users into installing AsyncRAT by disguising a virtual hard disk as a PDF attachment. Cybercriminal...

#News #Threat #Intel #AsyncRAT #DEAD#VAX #extensions

Origin | Interest | Match

DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files InterPlanetary Filesystem (IPFS) network read more about DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files

DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files reconbee.com/deadvax-malw...

#DEADVAXmalware #malwarecampaign #AsyncRAT #IPFS #phishing #phishingattack #cyberattack

AsyncRAT Campaign Abuses Cloudflare Services to Hide Malware Operations  Cybercriminals distributing the AsyncRAT remote access trojan are exploiting Cloudflare’s free-tier services and TryCloudflare tunneling domains to conceal malicious infrastructure behind widely trusted platforms. By hosting WebDAV servers through Cloudflare, attackers are able to mask command-and-control activity, making detection significantly more difficult for conventional security tools that often whitelist Cloudflare traffic.  The campaign typically begins with phishing emails that contain Dropbox links. These links deliver files using double extensions, such as .pdf.url, which are designed to mislead recipients into believing they are opening legitimate documents. When the files are opened, victims unknowingly download multi-stage scripts from TryCloudflare domains. At the same time, a genuine PDF document is displayed to reduce suspicion and delay user awareness of malicious activity.  A notable aspect of this operation is the attackers’ use of legitimate software sources. The malware chain includes downloading official Python distributions directly from Python.org. Once installed, a full Python environment is set up on the compromised system. This environment is then leveraged to execute advanced code injection techniques, specifically targeting the Windows explorer.exe process, allowing the malware to run stealthily within a trusted system component.  To maintain long-term access, the attackers rely on multiple persistence mechanisms. These include placing scripts such as ahke.bat and olsm.bat in Windows startup folders so they automatically execute when a user logs in. The campaign also uses WebDAV mounting to sustain communication with command-and-control servers hosted through Cloudflare tunnels.  The threat actors heavily employ so-called “living-off-the-land” techniques, abusing built-in Windows tools such as PowerShell, Windows Script Host, and other native utilities. By blending malicious behavior with legitimate system operations, the attackers further complicate detection and analysis, as their activity closely resembles normal administrative actions.  According to research cited by Trend Micro, the use of Cloudflare’s infrastructure creates a significant blind spot for many security solutions. Domains containing “trycloudflare.com” often appear trustworthy, allowing AsyncRAT payloads to be delivered without triggering immediate alerts. This abuse of reputable services highlights how attackers increasingly rely on legitimate platforms to scale operations and evade defenses.  Security researchers warn that although known malicious repositories and infrastructure may be taken down, similar campaigns are likely to reappear using new domains and delivery methods. Monitoring WebDAV connections, scrutinizing traffic involving TryCloudflare domains, and closely analyzing phishing attachments remain critical steps in identifying and mitigating AsyncRAT infections.

AsyncRAT Campaign Abuses Cloudflare Services to Hide Malware Operations #AsyncRAT #AsyncRATattack #Cloudfare

#xworm #asyncrat #purehvnc at:

https:// locale-respondent-realtor-excellent.trycloudflare\\.com

Exposed C2 dashboards for AsyncRAT and others often reuse default titles, predictable URL paths, and identical favicons; scanning httpv2 and crawler datasets helps link assets and TLS reuse. #ThreatIntel #C2 #AsyncRAT https://bit.ly/46KbOOt

Attackers trojanized ConnectWise ScreenConnect installers in exposed open directories to distribute AsyncRAT; observed IOCs include 176.65.139.119 and /Bin/ ClickOnce paths, with dual execution via .NET Assembly.Load or libPK.dll injection. #AsyncRAT #ScreenConnect #RMM https://bit.ly/3Iu93sl

Cybercriminals are exploiting ScreenConnect to deploy AsyncRAT and PowerShell RAT. Stay vigilant and ensure your software is up-to-date. #CyberSecurity #MalwareAlert #ScreenConnect #AsyncRAT Link: thedailytechfeed.com/cybercrimina...

This widely used Remote Monitoring tool is being used to deploy AsyncRAT to steal passwords | TechRadar www.techradar.com/pr...
#cybersecurity #ScreenConnect #AsyncRAT #fileless #malware

Attackers abuse ConnectWise ScreenConnect to drop AsyncRAT Hackers exploit ConnectWise ScreenConnect to drop AsyncRAT via scripted loaders, stealing data and persisting with a fake Skype updater.

Attackers are exploiting ConnectWise ScreenConnect to drop AsyncRAT malware, giving remote control over infected systems.
#ConnectWise #ScreenConnect #AsyncRAT #Malware #CyberSecurity #RemoteAccessTrojan #Infosec securityaffairs.com/182090/malwa...

Microsoft azzera le fee sullo Store e corregge NDI su Windows; emergono campagne AsyncRAT, Akira su SonicWall e tre CVE critiche Cisco IOS XR.

#Akira #AsyncRAT #cisco #MicrosoftStore #sonicwall
www.matricedigitale.it/2025/09/11/d...

Trojanized ScreenConnect Deploys AsyncRAT to Steal Credentials

Researchers discovered a phishing campaign delivering a tampered ConnectWise ScreenConnect installer that injects a loader to deploy the AsyncRAT trojan, allowing access and credential theft. getnews.me/trojanized-screenconnect... #connectwise #asyncrat

Microsoft azzera le fee sullo Store e corregge NDI su Windows; emergono campagne AsyncRAT, Akira su SonicWall e tre CVE critiche Cisco IOS XR.

#Akira #AsyncRAT #cisco #MicrosoftStore #sonicwall
www.matricedigitale.it/2025/09/11/e...

AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto establish a remote session read more about AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto

AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto reconbee.com/asyncrat-exp...

#Asyncrat #connectwise #crypto #credentials #CyberAttack

⚠️ AsyncRAT abuses ConnectWise ScreenConnect to steal credentials & crypto

Attackers used ScreenConnect RMM to run a VBScript + PowerShell loader, delivering #AsyncRAT.
They persist via a fake “Skype Updater” task, steal browser creds, keystrokes, crypto wallet apps, then exfil data to C2 server.

New Fileless Malware Attack Uses AsyncRAT for Credential Theft Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

New investigation reveals attackers used a fileless malware chain via a compromised #ScreenConnect client to deploy AsyncRAT, enabling credential theft, keylogging, and wallet scans.

Read: hackread.com/fileless-mal...

#CyberSecurity #AsyncRAT #Malware #CyberAttack #InfoSec