Ddos 
Arctic Wolf Labs has uncovered a sophisticated Loader-as-a-Service (LaaS) operation dubbed “Caminho” — a Brazilian-origin malware loader that conceals malicious .NET payloads inside image files using Least Significant Bit (LSB) steganography, a technique more commonly found in espionage campaigns than in financially motivated cybercrime.
According to Arctic Wolf, “Caminho, a Brazilian-origin Loader-as-a-Service operation, employs Least Significant Bit (LSB) steganography to conceal .NET payloads within image files hosted on legitimate platforms.”
The campaign has been active since March 2025, with significant evolution observed in June 2025, when its operators began embedding payloads within image files hosted on archive.org, a legitimate and trusted non-profit hosting service.
Arctic Wolf explains, “The campaign has delivered a variety of malware and infostealers such as REMCOS RAT, XWorm and Katz Stealer to victims within multiple industries across South America, Africa, and Eastern Europe.”
The company attributes the operation to Portuguese-speaking Brazilian cybercriminals, citing “extensive Portuguese-language code throughout all samples” and “targeting patterns focused on South American regions.”
The Caminho Loader infection chain starts with spear-phishing emails that deliver JavaScript or VBScript files compressed in RAR or ZIP archives. Once opened, these scripts fetch PowerShell payloads from pastebin-style services, which in turn download seemingly harmless images from archive.org.
Arctic Wolf notes, “Upon execution, the initial script retrieves an obfuscated PowerShell payload from pastebin-style services that downloads steganographic images from archive.org, a legitimate non-profit digital internet archive.”
These images contain concealed .NET payloads that the PowerShell script extracts using LSB steganography. The extracted payload — the Caminho Loader itself — is loaded directly into memory, bypassing disk-based antivirus detection.
“The loader retrieves and injects the final malware into the calc.exe address space without writing files to disk,” Arctic Wolf reports. Persistence is established through scheduled tasks that re-execute the infection chain.
The report describes Caminho as “a .NET-based second-stage loader” designed to retrieve and execute arbitrary payloads in memory, while evading forensic recovery. It employs “extensive anti-analysis checks including virtual machine (VM) and sandbox detection and debugging tool identification.”
The loader’s code reveals unmistakable traces of its origin — variable names and comments written in Portuguese, such as “persitencia” (persistence) and “minutos” (minutes). This linguistic evidence, combined with operational timing aligned with Brazilian business hours, reinforces Arctic Wolf’s attribution.
Unlike typical single-group campaigns, Caminho operates as a commercial service, renting its loader infrastructure to other threat actors. The report states, “The standardized invocation interface accepts arbitrary payload URLs as arguments, allowing multiple customers to deploy different malware families using the same delivery infrastructure.”
This model enables rapid distribution of different payloads — such as REMCOS RAT, XWorm, and Katz Stealer — across diverse campaigns using the same steganographic images and hosting infrastructure.
Arctic Wolf’s researchers confirm, “Reuse of identical steganographic images across campaigns with different final payloads confirms the modular service architecture.”
The threat actors extensively abuse legitimate web services such as archive.org, paste.ee, and pastefy.app to host and stage their payloads. Because these services are widely trusted, defenders face a dilemma — blocking them may disrupt legitimate operations.
“The extensive use of the non-profit website Internet Archive represents an operational choice,” Arctic Wolf explains. “The service’s legitimate reputation allows malicious files to evade domain-based blocking and reputation systems.”
The abuse of such reputable domains demonstrates the growing trend of “malware-as-a-service ecosystems” blending into legitimate internet infrastructure.
Caminho’s confirmed victims span Brazil, South Africa, Ukraine, and Poland, reflecting a campaign that started regionally but expanded globally.
Arctic Wolf notes that “geographic expansion from South America to multi-continent operations coincides with the adoption of steganographic delivery mechanisms in June 2025, suggesting operational maturity and possible customer base growth.”
While early campaigns focused on Brazilian business targets, later activity displayed opportunistic targeting across multiple industries — from small businesses to manufacturing and logistics firms.
Related Posts:
- Morte Botnet Unveiled: A Rapidly Growing Loader-as-a-Service Campaign Exploiting Routers and Enterprise Apps
- Fortinet FortiGate Firewalls Targeted in Sophisticated Campaign Exploiting Management Interfaces
- JavaScript-Based Malware Exploits Steganography for Covert Data Theft
- Venom Spider Evolves: Arctic Wolf Exposes More_eggs Campaign Targeting HR
- Dire Wolf Ransomware: New Golang Threat Hits 11 Countries with Double Extortion & File Wiping
Donate