Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Dead#Vax

Dead#Vax is a sophisticated, multistage malware campaign that abuses legitimate Windows features and fileless execution mechanisms. Reported delivery involves phishing emails impersonating legitimate businesses that contain links to virtual hard disk (VHD) files hosted on IPFS. When a victim opens the VHD, the execution chain triggers Windows Script Files, obfuscated self-parsing batch scripts, and PowerShell loaders. Securonix analysts reported the chain supports encrypted data siphoning and conceals critical strings and execution logic. The intrusion ultimately deploys AsyncRAT, which is used for credential theft/exfiltration, data exfiltration, surveillance, and enabling follow-on intrusions.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566.001Spearphishing AttachmentEvidence1

“Analyzing Dead#Vax: Analyzing Multi-Stage VHD Delivery and Self-Parsing Batch Scripts to Deploy In-Memory Shellcode”

T1566.002Spearphishing LinkEvidence1

Malicious emails purporting to be from legitimate businesses have been used to send links to virtual hard disk files on the InterPlanetary File System

Execution

3 techniques
T1059.001PowerShellEvidence1

...and PowerShell loaders for encrypted data siphoning and critical string and execution logic concealment...

T1059.003Windows Command ShellEvidence2

“...Self-Parsing Batch Scripts to Deploy In-Memory Shellcode”

T1059.005Visual BasicEvidence1

...opening of the VHD triggering Windows Script Files...

Privilege Escalation

1 technique
T1055Process InjectionEvidence1

“...deploy In-Memory Shellcode” (from the Dead#Vax analysis item)

Stealth

4 techniques
T1027Obfuscated Files or InformationEvidence1

...obfuscated batch scripts... PowerShell loaders for encrypted data siphoning and critical string and execution logic concealment...

T1055Process InjectionEvidence1

“...deploy In-Memory Shellcode” (from the Dead#Vax analysis item)

T1497Virtualization/Sandbox EvasionEvidence1

...send links to virtual hard disk files... with the opening of the VHD triggering Windows Script Files...

T1620Reflective Code LoadingEvidence1

“...Deploy In-Memory Shellcode”

Defense Impairment

1 technique
T1553.005Mark-of-the-Web BypassEvidence1

“Analyzing Dead#Vax: Analyzing Multi-Stage VHD Delivery and Self-Parsing Batch Scripts to Deploy In-Memory Shellcode”

Discovery

1 technique
T1497Virtualization/Sandbox EvasionEvidence1

...send links to virtual hard disk files... with the opening of the VHD triggering Windows Script Files...

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

...send links to virtual hard disk files on the InterPlanetary File System...

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

...PowerShell loaders for encrypted data siphoning... concludes with the distribution of the AsyncRAT malware for credential and data exfiltration...

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
security affairsNews
Feb 8, 2026
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 83

Multi-stage malware delivery chain using VHD-based delivery and self-parsing batch scripts to deploy in-memory shellcode.

Read more
security affairsNews
Feb 8, 2026
Security Affairs newsletter Round 562 by Pierluigi Paganini - INTERNATIONAL EDITION

“Analyzing Dead#Vax: Analyzing Multi-Stage VHD Delivery and Self-Parsing Batch Scripts to Deploy In-Memory Shellcode”

Read more
scworldNews
Feb 6, 2026
Windows targeted by advanced multistage Dead#Vax malware campaign | SC Media

A multistage, fileless malware campaign delivered via phishing emails linking to VHD files hosted on IPFS; execution chains through Windows Script Files, obfuscated batch scripts, and PowerShell loaders to enable encrypted data siphoning and conceal execution logic, ultimately delivering a secondary payload.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.