Executive Summary
In early February 2026, cybersecurity researchers uncovered a sophisticated malware campaign named DEAD#VAX, which utilized phishing emails to distribute Virtual Hard Disk (VHD) files hosted on the InterPlanetary File System (IPFS). These VHD files, disguised as PDF documents, contained obfuscated scripts that, upon execution, deployed AsyncRAT—a remote access trojan—into trusted Windows processes entirely in memory, leaving minimal forensic traces on disk. This method allowed attackers to gain extensive control over compromised systems, facilitating surveillance and data exfiltration. The campaign's use of decentralized file hosting and fileless execution techniques highlights a significant evolution in malware delivery and evasion strategies. (thehackernews.com)
The DEAD#VAX campaign underscores a growing trend among cybercriminals to exploit legitimate system features and decentralized technologies to bypass traditional security measures. The reliance on IPFS for hosting malicious payloads and the employment of fileless malware execution present new challenges for detection and mitigation, emphasizing the need for advanced threat intelligence and adaptive defense mechanisms in the face of evolving cyber threats. (thehackernews.com)
Why This Matters Now
The DEAD#VAX campaign exemplifies the increasing sophistication of cyber threats, where attackers leverage decentralized technologies and fileless execution to evade detection. This trend necessitates immediate attention to enhance security protocols and develop adaptive defense strategies to counteract such advanced attack vectors.
Attack Path Analysis
The DEAD#VAX campaign began with phishing emails delivering IPFS-hosted VHD files disguised as PDFs, leading to the execution of obfuscated scripts that injected AsyncRAT into trusted Windows processes. This allowed attackers to establish command and control channels, enabling data exfiltration and potential further malicious activities.
Kill Chain Progression
Initial Compromise
Description
Attackers sent phishing emails containing links to VHD files hosted on the IPFS network, disguised as purchase order PDFs. When recipients opened these files, the VHDs mounted as virtual drives, presenting a Windows Script File (WSF) that users executed, initiating the infection chain.
MITRE ATT&CK® Techniques
Spearphishing Attachment
Malicious File
PowerShell
Process Injection
Obfuscated Files or Information: Software Packing
Application Layer Protocol: Web Protocols
Registry Run Keys / Startup Folder
Keylogging
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable security patches
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
AsyncRAT's keylogging and clipboard monitoring capabilities pose severe risks to financial transactions, credentials, and sensitive customer data through fileless execution.
Health Care / Life Sciences
Memory-resident malware bypasses traditional endpoint security, threatening HIPAA compliance through surveillance capabilities targeting patient records and healthcare systems.
Government Administration
IPFS-hosted VHD phishing targeting government entities risks classified data exfiltration through encrypted traffic and lateral movement within secure networks.
Information Technology/IT
Multi-stage PowerShell injection into trusted Windows processes creates persistent backdoors in IT infrastructure, enabling long-term compromise and data theft.
Sources
- DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Fileshttps://thehackernews.com/2026/02/deadvax-malware-campaign-deploys.htmlVerified
- DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Fileshttps://blog.netmanageit.com/dead-vax-malware-campaign-deploys-asyncrat-via-ipfs-hosted-vhd-phishing-files/Verified
- Scammers go ‘InterPlanetary’, using decentralized file system in their campaignshttps://www.kaspersky.com/about/press-releases/scammers-go-interplanetary-using-decentralized-file-system-in-their-campaignsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to the DEAD#VAX campaign as it could likely limit the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not prevent the initial execution of malicious scripts from phishing emails, it could likely limit the subsequent unauthorized network communications initiated by the compromised host.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict identity-aware access controls, thereby reducing the scope of accessible resources.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely limit the attacker's ability to move laterally within the network by enforcing strict segmentation and monitoring east-west traffic patterns.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely limit the establishment of command and control channels by monitoring and controlling outbound communications from workloads.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration attempts by controlling and monitoring outbound data flows from workloads.
Aviatrix Zero Trust CNSF could likely reduce the overall impact of such attacks by limiting the attacker's ability to access and exfiltrate sensitive data, thereby reducing the potential for data theft and system disruption.
Impact at a Glance
Affected Business Functions
- Email Communications
- Document Management
- Endpoint Security
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive corporate documents and communications.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of malware within the network.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into network traffic and detect anomalous behaviors across cloud environments.
- • Apply Inline IPS (Suricata) to detect and prevent known exploit patterns and malicious payloads, enhancing threat detection capabilities.
- • Enforce East-West Traffic Security to monitor and control internal network communications, reducing the risk of lateral movement by attackers.
