Caminho Loader is a new Loader-as-a-Service threat that blends steganography, fileless execution, and cloud abuse to quietly deliver malware across several regions.
First seen in March 2025 and believed to originate from Brazil, this service hides .NET payloads inside harmless-looking image files hosted on trusted platforms.
Once triggered, it can deploy a wide range of remote access trojans and infostealers, including REMCOS RAT, XWorm, Katz Stealer, and AsyncRAT, to compromise infected systems.
The operation focuses on organizations in South America, Africa, and Eastern Europe, with confirmed victims in Brazil, South Africa, Ukraine, and Poland.
Attackers rely on convincing phishing emails that use business themes such as invoices, quotations, and shipping notices to lure users into opening attached archive files.
Inside these RAR or ZIP archives, obfuscated JavaScript or VBScript files act as the initial execution point, silently starting the multi-stage infection chain when launched by the victim.
ANY.RUN analysts identified Caminho Loader while examining suspicious submissions in their interactive sandbox, where they observed consistent use of steganography, in-memory execution, and a flexible delivery model.
Their research shows that all analyzed samples share Portuguese strings and the distinctive “HackForums.gigajew” namespace, reinforcing the Brazilian connection.
The impact of this loader is significant because it does not depend on a single malware family. Instead, criminal customers rent the delivery infrastructure and plug in their own .NET payloads via standardized parameters.
This modular approach allows multiple campaigns to share the same steganographic images and scripts while delivering completely different trojans to end targets.
For defenders, that means one loader infrastructure can support credential theft, espionage, or remote access, depending on who is behind a given campaign.
How Caminho Loader’s Steganographic Infection Chain Works
The infection chain behind Caminho Loader uses legitimate services at almost every step, making it hard to filter without harming normal business traffic.
.webp "Caminho Loader-as-a-Service Using Steganography to Conceal .NET Payloads within Image Files 3")
After a victim runs the malicious JavaScript or VBScript from a phishing archive, the script contacts Pastebin-like services such as paste.ee or pastefy.app to download heavily obfuscated PowerShell code.
This PowerShell stage then reaches out to high-reputation platforms like archive.org to retrieve image files that appear benign to both users and security tools.
Inside these images, Caminho hides Base64-encoded .NET loader code using Least Significant Bit (LSB) steganography, a method that embeds data into the least visible parts of pixel values without changing how the picture looks.
The PowerShell script scans the downloaded image, extracts the hidden data, reconstructs the .NET assembly directly in memory, and invokes it with arguments that include the final payload URL.
Because the loader never writes the executable to disk, traditional file-based antivirus tools often fail to see the malicious component at all.
Once running in memory, the Caminho Loader connects to attacker-controlled infrastructure to download and execute the chosen payload, such as REMCOS or AsyncRAT, which then handles lateral movement, credential theft, and long-term access.
AsyncRAT Injection traces one observed case where the loader injected AsyncRAT into the AddInProcess32 process, blending into normal system activity.
ANY.RUN’s sandbox views of these stages give defenders a rare, end-to-end window into a threat that otherwise aims to leave minimal forensic traces.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
