{“lastseen”:”2026-02-05T14:05:09″,”description”:”Cybercriminals behind a campaign dubbed DEAD#VAX are taking phishing one step further by delivering malware inside virtual hard disks that pretend to be ordinary PDF documents. Open the wrong \u201cinvoice\u201d or \u201cpurchase order\u201d and you won’t see a document at all. Instead, Windows mounts a virtual drive that quietly installs AsyncRAT, a backdoor Trojan that allows attackers to remotely monitor and control your computer.\\n\\nIt’s a remote access tool, which means attackers gain remote hands\u2011on\u2011keyboard control, while traditional file\u2011based defenses see almost nothing suspicious on disk.\\n\\nFrom a high-level view, the infection chain is long, but every step looks just legitimate enough on its own to slip past casual checks.\\n\\nVictims receive phishing emails that look like routine business messages, often referencing purchase orders or invoices and sometimes impersonating real companies. The email doesn’t attach a document directly. Instead, it links to a file hosted on IPFS (InterPlanetary File System), a decentralized storage network increasingly abused in phishing campaigns because content is harder to take down and can be accessed through normal web gateways.\\n\\nThe linked file is named as a PDF and has the PDF icon, but is actually a virtual hard disk (VHD) file. When the user double\u2011clicks it, Windows mounts it as a new drive (for example, drive E:) instead of opening a document viewer. Mounting VHDs is perfectly legitimate Windows behavior, which makes this step less likely to ring alarm bells.\\n\\nInside the mounted drive is what appears to be the expected document, but it’s actually a Windows Script File (WSF). When the user opens it, Windows executes the code in the file instead of displaying a PDF.\\n\\nAfter some checks to avoid analysis and detection, the script injects the payload\u2014AsyncRAT shellcode\u2014into trusted, Microsoft\u2011signed processes such as `RuntimeBroker.exe`, `OneDrive.exe`, `taskhostw.exe`, or `sihost.exe`. The malware never writes an actual executable file to disk. It lives and runs entirely in memory inside these legitimate processes, making detection and eventually at a later stage, forensics much harder. It also avoids sudden spikes in activity or memory usage that could draw attention.\\n\\nFor an individual user, falling for this phishing email can result in:\\n\\n * Theft of saved and typed passwords, including for email, banking, and social media.\\n * Exposure of confidential documents, photos, or other sensitive files taken straight from the system.\\n * Surveillance via periodic screenshots or, where configured, webcam capture.\\n * Use of the machine as a foothold to attack other devices on the same home or office network.\\n\\n\\n\\n## How to stay safe\\n\\nBecause detection can be hard, it is crucial that users apply certain checks:\\n\\n * Don\u2019t open email attachments until after verifying, with a trusted source, that they are legitimate.\\n * Make sure you can see the actual file extensions. Unfortunately, Windows allows users to hide them. So, when in reality the file would be called `invoice.pdf.vhd` the user would only see `invoice.pdf`. To find out how to do this, see below.\\n * Use an up-to-date, real-time anti-malware solution that can detect malware hiding in memory.\\n\\n\\n\\n### Showing file extensions on Windows 10 and 11\\n\\nTo show file extensions in Windows 10 and 11:\\n\\n * Open Explorer (Windows key + E)\\n * In Windows 10, select **View** and check the box for **File name extensions**. \\n * In Windows 11, this is found under **View** \\u003e **Show** \\u003e **File name extensions**. \\n\\n\\n\\nAlternatively, search for **File Explorer Options** to uncheck **Hide extensions for known file types**.\\n\\nFor older versions of Windows, refer to this article.\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2026-02-05T13:48:40″,”modified”:”2026-02-05T13:48:40″,”type”:”malwarebytes”,”title”:”Open the wrong \u201cPDF\u201d and attackers gain remote access to your PC”,”source”:””,”references”:””,”id”:”MALWAREBYTES:E72D27253EC51A0A107E8CE8AAA4EE99″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/02\/open-the-wrong-pdf-and-attackers-gain-remote-access-to-your-pc”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-05T14:05:09″,”description”:”Cybercriminals behind a campaign dubbed DEAD#VAX are taking phishing one step further by delivering malware inside virtual hard disks that pretend to be ordinary PDF…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-39221","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n