A sophisticated malware operation has emerged from Brazil, leveraging advanced steganographic techniques to conceal malicious payloads within seemingly harmless image files.

The Caminho loader, active since at least March 2025, represents a growing threat to organizations across South America, Africa, and Eastern Europe, delivering diverse malware families including REMCOS RAT, XWorm, and Katz Stealer through an intricate multi-stage infection chain.

The campaign begins with carefully crafted spear-phishing emails containing compressed archives that house JavaScript or VBScript files.

These initial scripts use business-themed social engineering lures such as fake invoices and quotation requests to trick recipients into executing the malicious code.

Upon execution, the script retrieves an obfuscated PowerShell payload from Pastebin-style services, which then downloads steganographic images from archive.org, a legitimate non-profit digital archive platform.

The use of trusted platforms allows the malware to evade traditional security controls that rely on domain reputation and blocklists.

Arctic Wolf analysts identified the loader’s most notable innovation in its use of Least Significant Bit (LSB) steganography to extract concealed .NET assemblies from image files.

The PowerShell script searches for a specific BMP header signature within downloaded JPG or PNG files, then iterates through every pixel to extract RGB color channel values that encode the hidden binary data.

The first four bytes specify the payload length, followed by the Base64-encoded malicious assembly.

Analysis of 71 Caminho loader samples reveals consistent Portuguese-language code throughout, with variable names like “caminho” (path), “persitencia” (persistence), and “minutos” (minutes), strongly indicating Brazilian origins.

The extracted loader operates entirely in memory, implementing extensive anti-analysis checks including virtual machine detection, sandbox environment identification, and debugging tool recognition.

The malware validates payload architecture before injecting the final payload into legitimate Windows processes such as calc.exe, establishing persistence through scheduled tasks that re-execute the infection chain every minute.

This fileless execution approach defeats traditional file-based detection mechanisms and leaves minimal forensic artifacts on compromised systems.

Loader-as-a-Service Business Model

The operational patterns observed across multiple campaigns strongly suggest Caminho functions as a Loader-as-a-Service operation rather than a single threat actor’s tool.

The standardized invocation interface accepts arbitrary payload URLs as arguments, enabling multiple customers to deploy different malware families using the same delivery infrastructure.

Infrastructure analysis reveals the reuse of identical steganographic images across campaigns with varying final payloads, confirming the modular service architecture.

The diverse payload delivery includes REMCOS RAT deployed via bulletproof hosting command-and-control infrastructure on AS214943 Railnet LLC, XWorm delivered from malicious domains, and Katz Stealer credential-harvesting malware.

Confirmed victims span Brazil, South Africa, Ukraine, and Poland, with geographic expansion coinciding with the adoption of steganographic techniques in June 2025.

The campaign demonstrates operational maturity through continuous infrastructure rotation, obfuscation updates, and the abuse of legitimate services for malicious hosting.

Code snippet demonstrating the LSB extraction technique:-

$plectonephric = [Drawing.Bitmap]::FromStream($biological);
$muffin = New-Object Collections.Generic.List[Byte];
for ($tazias = 0; $tazias -lt $plectonephric.Height; $tazias++) {
    for ($lidger = 0; $lidger -lt $plectonephric.Width; $lidger++) {
        $elayle = $plectonephric.GetPixel($lidger, $tazias);
        $muffin. Add($elayle.R);
        $muffin. Add($elayle.G);
        $muffin. Add($elayle.B)
    }
};

Organizations should implement layered security controls including blocking JavaScript and VBScript files within archive attachments, deploying email sandboxing that executes scripts and follows network connections, monitoring PowerShell with encoded commands, and enabling memory scanning capabilities to detect in-memory payloads.

The extensive use of legitimate platforms like archive.org presents unique challenges for traditional perimeter defenses, as blanket blocking may impact legitimate business operations while selective URL blocking proves ineffective against the operators’ demonstrated infrastructure rotation capabilities.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Caminho Malware Loader Uses LSB Steganography and to Hide .NET Payloads Within Image Files appeared first on Cyber Security News.

A sophisticated malware campaign targeting WordPress sites has emerged, utilizing PHP variable functions and cookie-based obfuscation to evade traditional security detection mechanisms.

The attack represents an evolution in obfuscation techniques, where threat actors fragment malicious code across multiple HTTP cookies and dynamically reconstruct executable functions at runtime.

This approach makes static analysis significantly more challenging, as the malicious intent remains hidden until all cookie components are assembled and executed.

The malware has been detected over 30,000 times in September 2025 alone, demonstrating its widespread deployment and continued effectiveness against vulnerable websites.

The attack vector primarily targets PHP-based web applications, particularly WordPress installations, by injecting backdoor scripts that accept commands through specially crafted cookies.

Unlike traditional malware that embeds complete malicious payloads within files, this campaign distributes function names and encoded parameters across numbered cookie indices.

Once deployed, the malware waits for specific cookie configurations before activating, requiring attackers to send precisely structured requests containing all necessary components.

This conditional execution serves dual purposes: evading automated security scans that may trigger the script without proper cookies, and preventing unauthorized access by other malicious actors who discover the backdoor.

Wordfence researchers identified multiple variants of this malware family during routine incident response operations, adding samples to their threat intelligence database containing over 4.4 million unique malicious signatures.

The detection came through analysis of compromised sites where conventional signature-based scanning initially struggled to flag the heavily obfuscated code.

Analysis revealed that while individual variants differ in implementation details, they share core characteristics including dense obfuscation, excessive array lookups, and deliberate cookie validation checks that act as authentication mechanisms for attackers.

Technical Implementation and Code Execution Chain

The malware operates through a multi-stage execution chain that leverages PHP’s variable function capability, where appending parentheses to any variable causes PHP to execute a function matching the variable’s string value.

In examined samples, the script begins by storing the $_COOKIE superglobal into a local variable and validating that exactly 11 cookies are present, with one containing the specific string “array11”.

The malware then concatenates cookie values to reconstruct function names, such as combining cookies containing “base64_” and “decode” to form the complete base64_decode function name.

The execution chain demonstrates sophisticated layering:-

$locale[79] = $locale[79] . $locale[94];
$locale[23] = $locale[79]($locale[23]);

This reconstructs base64_decode, then decodes another cookie containing “Y3JlYXRlX2Z1bmN0aW9u” to produce “create_function”. The malware subsequently uses create_function with attacker-controlled parameters to generate arbitrary executable code.

Later variants employ string replacement techniques, transforming obfuscated strings like “basx649fxcofx” into “base64_decode” by replacing characters ‘x’, ‘f’, and ‘9’ with ‘e’, ‘d’, and ‘_’ respectively.

This multi-layered approach defeats pattern-matching detection while maintaining full remote code execution capabilities through serialized payloads delivered via cookie parameters.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Malware Attack Using Variable Functions and Cookies to Evade and Hide Their Malicious Scripts appeared first on Cyber Security News.

An international ecosystem of sophisticated scam operations has emerged, targeting vulnerable populations through impersonation tactics and fraudulent financial aid promises.

The campaign, dubbed “Vulnerability Vultures,” primarily focuses on older adults who represent lucrative targets for threat actors.

According to the FBI’s Internet Crime Complaint Center, the 60-plus age group filed the highest number of complaints in 2024, with losses totaling $4.8 billion, nearly double the next highest category.

Federal Trade Commission data further reveals that adults 70 years or older experience significantly higher median dollar losses compared to younger demographics.

The scammers leverage major social media platforms as initial contact points, subsequently redirecting victims to fraudulent websites or private messaging channels where they harvest financial details and sensitive personal information.

These operations demonstrate geographic diversity, with evidence suggesting operators based in Nigeria, South Asia, and the United States.

The threat actors deliberately target individuals susceptible to offers of physical or financial benefits, including both older adults and previous scam victims who may be seeking restitution.

Graphika analysts identified that the cross-platform structure of these scam operations enables scalability, anonymity, and effective evasion of platform moderation measures.

The threat actors deploy inauthentic personas and manipulated media to impersonate trusted figures, institutions, and brands such as the FBI and established news organizations.

By incorporating AI-generated audio, cloned websites, and repurposed authentic content, the scammers create convincing simulations of legitimacy and authority that deceive even cautious victims.

Attack Methodology and Social Engineering Tactics

The operations follow a consistent three-stage attack pattern: building trust through authoritative impersonation, ushering victims to off-platform communication channels, and extracting personal or financial data through registration forms for non-existent relief programs.

These schemes operate at high volume, deploying identical short-lived advertisements, AI automation, paid promotion, and disposable accounts that maintain operational persistence despite ongoing enforcement efforts from platform providers and law enforcement agencies.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Tricks Target Users Via Impersonation and Fictional Financial Aid Offers appeared first on Cyber Security News.