Hackers hide remote access malware inside fraudulent purchase orders

Attackers are using everyday file types and built-in Windows features to take control of computers without leaving obvious warning signs.

What happened

According to The Hacker News, security researchers have uncovered a phishing campaign called DEAD#VAX that tricks people into opening what looks like a purchase order PDF. Instead of a normal document, the attachment is a file that opens as a separate drive on a Windows computer. Once opened, it runs hidden scripts that install AsyncRAT, a remote access tool that gives attackers full control of the device. The malicious file is hosted on a decentralized file-sharing network, which makes it harder to remove. The malware then runs directly in the computer’s memory rather than saving a visible program to the hard drive, helping it avoid traditional antivirus detection.

Going deeper

The attack relies on deception and layering. The initial attachment is not a standard .exe file, which many email filters block. Instead, it uses a disk image file that Windows treats like an external drive. Inside that drive are hidden scripts that check whether the system is being analyzed by security tools. If everything looks clear, the malware loads itself into legitimate Windows processes that are already running. It hides inside trusted system programs, blending in with normal activity. Once active, the attacker can log keystrokes, capture screens, access files, monitor clipboard activity, and run remote commands. Because the malware does not install as a traditional program, it leaves fewer traces behind.

What was said

Researchers told The Hacker News, “The attack leverages IPFS-hosted VHD files, extreme script obfuscation, runtime decryption, and in-memory shellcode injection into trusted Windows processes, never dropping a decrypted binary to disk.” The researchers further noted, “Modern malware campaigns increasingly rely on trusted file formats, script abuse, and memory-resident execution to bypass traditional security controls,” describing how multi-stage execution pipelines allow each component to appear benign when analyzed in isolation.

The big picture

Fileless malware and memory-resident attacks have become more common as threat actors look for ways to bypass traditional antivirus tools that rely on known file signatures. Research from Microsoft has tracked a steady increase in campaigns that abuse scripts, inject code into running processes, and rely on “living-off-the-land binaries,” meaning legitimate built-in Windows tools that are repurposed for malicious use instead of dropping obvious malware files. Microsoft has warned that these techniques reduce dependence on standalone executables and instead exploit trusted system features, which makes detection and forensic investigation more difficult. DEAD#VAX leaves fewer obvious warning signs for traditional security tools to catch.

FAQs

What is IPFS, and why does it matter in this campaign?

IPFS, or InterPlanetary File System, is a decentralized storage network that distributes content across multiple nodes, making takedown and traditional hosting-based blocking more difficult.

What is a Virtual Hard Disk file?

A VHD file is a disk image that mounts as a local drive when opened in Windows, allowing attackers to package scripts and payloads in a format that may bypass email filtering controls.

What is memory resident or fileless execution?

Memory resident execution refers to malware running directly in system memory without writing a recognizable executable file to disk, which reduces traditional forensic traces.

Why is AsyncRAT considered dangerous?

AsyncRAT provides attackers with remote control capabilities, including surveillance, data theft, command execution, and persistence across reboots.

How can organizations detect this type of activity?

Defenders can monitor abnormal script execution, suspicious process injection behavior, unusual mounting of disk image files, and anomalous PowerShell activity rather than relying only on static file signatures.