A highly sophisticated new threat, a Loader as a Service platform dubbed "Caminho" (Portuguese for "path"), is actively exploiting a stealthy technique known as Least Significant Bit (LSB) steganography to hide malicious .NET payloads inside harmless looking image files.
The Stealth of Steganography
Observed by Arctic Wolf Labs starting in March 2025, Caminho's primary evasion technique is LSB steganography. This method conceals binary data within the color channels of images, such as JPGs or PNGs, making the files appear benign to signature based security tools.
The attack begins with business themed spear phishing emails. The first stage deploys obfuscated JavaScript or VBScript, which fetches a PowerShell script. This script then downloads the steganographic image from legitimate platforms like Archive.org, a tactic designed to blend malicious traffic with benign activity.
Fileless Execution and Global Reach
The PowerShell script extracts the embedded .NET loader from the image and loads it directly into the computer's memory, avoiding the disk. The loader then injects itself into a legitimate Windows process, such as calc.exe, achieving a "fileless" execution model that severely limits forensic traceability. The operation maintains persistence after reboots through scheduled tasks with names like "amandes."
While the numerous Portuguese language artifacts and initial targeting suggest a Brazilian origin, the operation quickly expanded into a multi regional service. Victims have been identified across South America, Africa, and Eastern Europe, including Brazil, South Africa, Ukraine, and Poland.
Modular Loader as a Service
Caminho operates as a true Loader as a Service, leveraging a modular delivery chain. After the loader executes, it fetches final stage malware using URLs passed as arguments. Payloads observed in the wild include the commercial REMCOS RAT, XWorm, and the credential stealer Katz Stealer. By reusing steganographic images and C2 infrastructure, the operators can deliver multiple malware families at scale.
This operation presents a complex challenge for defense teams because:
- Steganographic images evade traditional detection.
- Fileless execution hinders disk based forensics.
- The use of legitimate hosting services, such as Archive.org and paste.ee, reduces network red flags.
As the Caminho campaign expands its geographic scope and payload support, organizations, particularly in the targeted regions, should assume exposure and proactively validate the integrity of image files and the download origins of scripts.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
