A sophisticated malware operation has emerged from Brazil, leveraging advanced steganographic techniques to conceal malicious payloads within seemingly harmless image files.
The Caminho loader, active since at least March 2025, represents a growing threat to organizations across South America, Africa, and Eastern Europe, delivering diverse malware families including REMCOS RAT, XWorm, and Katz Stealer through an intricate multi-stage infection chain.
The campaign begins with carefully crafted spear-phishing emails containing compressed archives that house JavaScript or VBScript files.
These initial scripts use business-themed social engineering lures such as fake invoices and quotation requests to trick recipients into executing the malicious code.
Upon execution, the script retrieves an obfuscated PowerShell payload from Pastebin-style services, which then downloads steganographic images from archive.org, a legitimate non-profit digital archive platform.
The use of trusted platforms allows the malware to evade traditional security controls that rely on domain reputation and blocklists.
Arctic Wolf analysts identified the loader’s most notable innovation in its use of Least Significant Bit (LSB) steganography to extract concealed .NET assemblies from image files.
The PowerShell script searches for a specific BMP header signature within downloaded JPG or PNG files, then iterates through every pixel to extract RGB color channel values that encode the hidden binary data.
The first four bytes specify the payload length, followed by the Base64-encoded malicious assembly.
Analysis of 71 Caminho loader samples reveals consistent Portuguese-language code throughout, with variable names like “caminho” (path), “persitencia” (persistence), and “minutos” (minutes), strongly indicating Brazilian origins.
The extracted loader operates entirely in memory, implementing extensive anti-analysis checks including virtual machine detection, sandbox environment identification, and debugging tool recognition.
.webp "New Caminho Malware Loader Uses LSB Steganography and to Hide .NET Payloads Within Image Files 3")
The malware validates payload architecture before injecting the final payload into legitimate Windows processes such as calc.exe, establishing persistence through scheduled tasks that re-execute the infection chain every minute.
This fileless execution approach defeats traditional file-based detection mechanisms and leaves minimal forensic artifacts on compromised systems.
Loader-as-a-Service Business Model
The operational patterns observed across multiple campaigns strongly suggest Caminho functions as a Loader-as-a-Service operation rather than a single threat actor’s tool.
The standardized invocation interface accepts arbitrary payload URLs as arguments, enabling multiple customers to deploy different malware families using the same delivery infrastructure.
Infrastructure analysis reveals the reuse of identical steganographic images across campaigns with varying final payloads, confirming the modular service architecture.
The diverse payload delivery includes REMCOS RAT deployed via bulletproof hosting command-and-control infrastructure on AS214943 Railnet LLC, XWorm delivered from malicious domains, and Katz Stealer credential-harvesting malware.
Confirmed victims span Brazil, South Africa, Ukraine, and Poland, with geographic expansion coinciding with the adoption of steganographic techniques in June 2025.
The campaign demonstrates operational maturity through continuous infrastructure rotation, obfuscation updates, and the abuse of legitimate services for malicious hosting.
Code snippet demonstrating the LSB extraction technique:-
$plectonephric = [Drawing.Bitmap]::FromStream($biological);
$muffin = New-Object Collections.Generic.List[Byte];
for ($tazias = 0; $tazias -lt $plectonephric.Height; $tazias++) {
for ($lidger = 0; $lidger -lt $plectonephric.Width; $lidger++) {
$elayle = $plectonephric.GetPixel($lidger, $tazias);
$muffin. Add($elayle.R);
$muffin. Add($elayle.G);
$muffin. Add($elayle.B)
}
};Organizations should implement layered security controls including blocking JavaScript and VBScript files within archive attachments, deploying email sandboxing that executes scripts and follows network connections, monitoring PowerShell with encoded commands, and enabling memory scanning capabilities to detect in-memory payloads.
The extensive use of legitimate platforms like archive.org presents unique challenges for traditional perimeter defenses, as blanket blocking may impact legitimate business operations while selective URL blocking proves ineffective against the operators’ demonstrated infrastructure rotation capabilities.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
