Caminho

Caminho is a .NET-based malware loader/downloader assessed as a Brazilian-origin Loader-as-a-Service (LaaS) operation. Reporting describes it as active since at least March 2025, with a notable evolution in early June 2025 to use Least Significant Bit (LSB) steganography to conceal a .NET payload inside image files hosted on legitimate platforms such as archive.org. The loader has been observed in multi-stage, fileless infection chains that commonly begin with spear-phishing emails carrying RAR/ZIP archives containing obfuscated JavaScript or VBScript, and in some campaigns malicious SVG or OLE document lures. These scripts retrieve heavily obfuscated PowerShell from paste-style services, download a steganographic image, extract the hidden .NET assembly in memory, and execute Caminho without writing the loader to disk.

Caminho is designed to retrieve an operator-supplied final payload URL, decode it using reversal and Base64 logic, and then download and execute the payload in memory. It commonly injects the final malware into legitimate Windows processes such as calc.exe, calc64.exe, or in one reported campaign MSBuild.exe. Reported anti-analysis features include VM detection (VMware, VirtualBox, Hyper-V), sandbox detection (including Cuckoo, ANY.RUN, and Joe Sandbox), and debugger/tool detection (including OllyDbg, x64dbg, WinDbg, IDA, and Wireshark). It also validates payload architecture before execution. Persistence has been observed via Windows Scheduled Tasks, including writing panters.js to C:\Users\Public\Downloads\ and creating tasks such as "amandes" or "amandines" to rerun the chain repeatedly and/or at startup.

Observed payloads delivered by Caminho include Remcos RAT, XWorm, Katz Stealer, PureLogs, and DCRat, indicating a modular loader used by multiple downstream customers rather than a single campaign. One documented BlindEagle campaign targeting Colombian government agencies under the Ministry of Commerce, Industry and Tourism used Caminho in a phishing chain that abused a compromised internal email account, fraudulent judicial-themed lures, Internet Archive-hosted steganographic images, and Discord CDN delivery to fetch DCRat. Reporting also cites targeting across Brazil, South Africa, Ukraine, Poland, and manufacturing and government organizations in Italy, Finland, and Saudi Arabia.

Attribution in the reporting links Caminho with high confidence to Brazilian Portuguese-speaking operators based on pervasive Portuguese-language code artifacts, including internal argument names such as "caminho," and activity patterns aligned with Brazilian business hours. A distinctive namespace artifact, "HackForums.gigajew," is also reported in samples. Notable indicators mentioned in the reporting include stage-1 JavaScript SHA-256 42761793d309a0e10b664de61fb25f8d915c65a86b4c5b6229c73d3992519fd5, stage-2 script SHA-256 134c29f52884adc5a3050e5c820229e060308e7377c7125805a6bfccd0859361, steganographic image SHA-256 89959ad7b1ac18bbd1e850f05ab0b5fce164596bce0f1f8aafb70ebd1bbcf900, archive.org and paste.ee delivery URLs, Discord-hosted AGT27.txt used in one DCRat chain, and a Remcos RAT payload SHA-256 003cd08d0e4e3e53b5c2dd7e0ea292059f88f827d0cb025adf478d1f8e005fbd with C2 domain cestfinidns.vip (66.63.187.166).