Fileless Malware Campaign Uses Disk Images and Memory Injection to Bypass Antivirus on Windows Systems

Aegiron 11 mins0

DEAD#VAX Campaign

The activity tracked as DEAD#VAX represents a stealthy malware delivery campaign designed to establish persistent remote access while deliberately avoiding traditional antivirus and file-based detection. The attackers rely on trusted Windows features, disk image formats, and in-memory execution techniques to keep their footprint minimal.

This campaign does not immediately deploy ransomware. Instead, it focuses on initial access, persistence, and control, strongly suggesting its use as a pre-ransomware or access-broker operation. The final payload observed during this phase is a remote access trojan (AsyncRAT), which enables attackers to surveil the environment, harvest credentials, and prepare for follow-on attacks.

The most important characteristic of this campaign is that no malicious executable needs to exist on disk for the compromise to succeed.

What Happened

Users were tricked into opening a file that appeared legitimate but was actually a Virtual Hard Disk (VHD) image. Once mounted, the disk exposed scripts that executed a multi-stage loader. This loader reconstructed and injected malware directly into memory, bypassing disk-based defenses.

After execution, the infected system established outbound communication with attacker-controlled infrastructure and granted the attackers full remote access.

How It Happened

1. Initial Access

The campaign begins with user interaction, not exploitation of a software vulnerability.

Common delivery methods include:

  • Phishing emails with attachments or links
  • Download links masquerading as documents, invoices, or security updates
  • Archives containing disk image files

The initial file is typically a .vhd or .vhdx, formats that Windows treats as legitimate storage containers. Double-clicking the file mounts it like a physical drive.

Key point:

No exploit is required. The attack abuses user trust and default OS behavior.

2. Payload Hosting via Decentralized Infrastructure

Rather than hosting malware on a traditional server, the attackers use decentralized content delivery, commonly through public IPFS gateways.

This provides several advantages:

  • Content is not tied to a single server
  • Takedowns are difficult
  • Network traffic blends with legitimate decentralized usage
  • Static domain or IP blocking is ineffective

The VHD file itself or its secondary components are retrieved through this infrastructure.

3. Execution from Mounted Disk Image

Once the VHD is mounted:

  • Windows assigns it a drive letter
  • Files appear as ordinary documents or scripts
  • Execution occurs in the user context

Scripts inside the mounted image are often named to resemble:

  • PDFs
  • Office documents
  • Installers
  • System utilities

This stage establishes the loader without dropping malware binaries onto the host filesystem.

4. Script Loader and Obfuscation

The loader is typically implemented using built-in Windows scripting engines:

  • PowerShell
  • Windows Script Host
  • HTML Application Host

The script uses extreme obfuscation, including:

  • Encoded and encrypted strings
  • Fragmented command construction
  • Dynamic invocation
  • Junk logic to confuse analysis tools

The intent of the script is not immediately visible until runtime.

5. In-Memory Payload Reconstruction

Instead of downloading a malware executable:

  • The payload is reconstructed in memory
  • Bytes are assembled dynamically
  • Executable memory is allocated
  • Code is injected directly into a legitimate process

At no point does the final payload need to exist as a file on disk.

This is the core reason the campaign bypasses traditional antivirus.

IPC and Process Injection Tradecraft

Process Injection Techniques

The loader injects code into trusted Windows processes such as:

  • explorer.exe
  • svchost.exe
  • rundll32.exe
  • msiexec.exe

Common techniques include:

  • Remote thread creation
  • APC injection
  • Section mapping
  • Reflective loading

Indicators include:

  • Memory regions with execute permissions not backed by a file
  • Network activity from processes that did not initiate connections previously

Inter-Process Communication (IPC)

The malware uses Windows IPC mechanisms for internal coordination.

Named Pipes

  • Used for command dispatch and module loading
  • Pipe names are randomized or pseudo-legitimate
  • Pipes are often short-lived

Suspicious characteristics:

  • Pipes created by user-space processes
  • High-entropy pipe names
  • Creation shortly after script execution

Asynchronous Procedure Calls (APCs)

  • Used to trigger execution within injected processes
  • Avoids spawning new processes
  • Leaves minimal telemetry

Payloads Used

Primary Payload

AsyncRAT is used as the primary remote access component.

Capabilities include:

  • Remote command execution
  • File upload and download
  • Credential harvesting
  • Process manipulation
  • Screen capture and monitoring
  • Optional persistence mechanisms

AsyncRAT is not novel, but its delivery method in this campaign is highly evasive.

Vulnerabilities Exploited

No software vulnerability is exploited.

This campaign relies on:

  • Legitimate Windows functionality
  • Default user permissions
  • Script execution capabilities
  • Trust in disk image formats

Anti-Malware and Evasion Techniques

  • Fileless execution
  • In-memory injection
  • Obfuscated scripts
  • Trusted system utilities
  • Decentralized hosting
  • Minimal forensic artifacts
  • Short-lived infrastructure

Impact Assessment

Systems Affected

  • Windows endpoints
  • User workstations
  • Environments without memory-focused EDR

Potential Impact

  • Full endpoint compromise
  • Credential theft
  • Lateral movement
  • Data exfiltration
  • Preparation for ransomware deployment

Because the payload is fileless, infections may persist undetected for long periods.

Indicators of Compromise (Behavioral)

File and Execution Indicators

  • Mounting of VHD files by standard users
  • Script execution from mounted drives
  • PowerShell launched with encoded commands
  • Execution chains starting from explorer.exe

Registry Indicators

  • Run or RunOnce keys containing encoded commands
  • Registry values with long, unreadable strings
  • Persistence pointing to script interpreters

Network Indicators

  • Outbound encrypted traffic shortly after VHD mounting
  • Persistent low-bandwidth beaconing
  • Unusual outbound connections from system processes
  • Traffic to decentralized content gateways

Memory Indicators

  • Executable memory regions without file backing
  • Legitimate processes performing unexpected network activity
  • Reflective DLL loading patterns

Threat Hunting Queries

Detect Disk Image Mounting

DeviceEvents
| where ActionType == "MountImage"
| project Timestamp, DeviceName, InitiatingProcessFileName

PowerShell with Encoded Commands

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine contains "-EncodedCommand"
| project Timestamp, DeviceName, ProcessCommandLine

Execution from Mounted Media

DeviceProcessEvents
| where FolderPath matches regex @":\\"
| where FileName in~ ("powershell.exe","wscript.exe","mshta.exe")
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine

Named Pipe Anomalies

DeviceEvents
| where ActionType == "NamedPipeCreated"
| where PipeName matches regex @"\\\.\\pipe\\[A-Za-z0-9]{8,}"
| project Timestamp, DeviceName, PipeName, InitiatingProcessFileName

Memory Injection Signals

DeviceImageLoadEvents
| where ImageLoaded == ""
| project Timestamp, DeviceName, InitiatingProcessFileName

Beaconing Detection

DeviceNetworkEvents
| summarize count() by DeviceName, RemoteIP, bin(Timestamp, 1m)
| where count_ > 20

Detection Rules

Suspicious PowerShell Execution

title: Encoded PowerShell Execution from User Context
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains: '-EncodedCommand'
  condition: selection
level: high

Disk Image Abuse

title: VHD Mount Followed by Script Execution
logsource:
  product: windows
  category: file_event
detection:
  selection:
    TargetFilename|endswith:
      - '.vhd'
      - '.vhdx'
  condition: selection
level: medium

Defensive Recommendations

  • Restrict VHD mounting to administrators
  • Disable unnecessary script interpreters
  • Enforce PowerShell Constrained Language Mode
  • Enable memory scanning in EDR
  • Monitor named pipe creation
  • Alert on script execution from mounted drives
  • Treat disk images as executable content
  • Educate users that disk images are not documents

Final Takeaway

DEAD#VAX is a low-noise, high-impact access operation. The absence of ransomware during this phase should not be interpreted as low risk. The tradecraft indicates patience, reconnaissance, and preparation.

Organizations detecting any part of this behavior should assume:

  • Credentials may already be compromised
  • Lateral movement may be underway
  • Follow-on attacks are likely

Early detection depends on behavioral, memory, and IPC monitoring, not file scanning.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.