The Invisible Threat: Caminho Loader Hides Malware in Image Pixels
Midway through this year, specialists at Arctic Wolf uncovered a sprawling malicious campaign that spread across South America, Africa, and Eastern Europe. At its core lay a tool of Brazilian origin known as Caminho — a universal malware loader distributed under a service-rental model. Since its emergence the loader has evolved considerably; in June it acquired the ability to conceal malicious code within images using LSB steganography, enabling it to evade conventional defenses and to scale its operations.
Initially, victims received archives containing JavaScript or VBScript files masquerading as routine business correspondence. When executed, these scripts fetched PowerShell code from third-party paste services such as paste.ee. Those PowerShell scripts in turn downloaded images from repositories like archive.org. At first glance the files appeared to be ordinary JPG or PNG pictures — often depicting cosmic scenes — yet their pixels concealed encrypted executable components.
Using a specific byte signature, the PowerShell loaders located an embedded BMP segment within the graphic, extracted an encrypted .NET library, and loaded it directly into memory. That in-memory component constituted the Caminho loader itself — able to fetch and execute any payload without ever writing files to disk. The entire chain unfolds in volatile memory, thereby eluding most antivirus products. A Windows Scheduled Task ensured persistence by calling back to the same URLs that delivered the original code.
Analysis of more than seventy distinct Caminho samples revealed a consistent architecture and telling artifacts: variables and comments in Portuguese and references to HackForums. Each sample embeds checks for virtual machines, sandboxes, and debuggers, complicating forensic analysis further.
The loader was conceived as a generic delivery platform: any URL pointing to a final malicious binary can be slotted into its workflow. This modularity indicates a Loader-as-a-Service (LaaS) model — the operators provide delivery infrastructure and a runtime shell, while customers supply their own payloads.
Within this campaign, a variety of malware families were delivered, including the REMCOS RAT, the XWorm spyware, and the Katz stealer. These payloads appeared across multiple countries — Brazil, Poland, Ukraine, and South Africa among them. Notably, identical images embedding the loader recur across disparate attacks, reinforcing the view of Caminho as a service platform.
The project’s infrastructure was built for resilience and scale. Alongside legitimate hosts such as archive.org and catbox.moe, the operators leveraged domains tied to bulletproof hosting — for example, those associated with entities like Railnet LLC, which has documented links to cybercriminal groups in the CIS. Paste-bin platforms stored intermediary scripts, simplifying campaign updates and complicating detection.
Although most attacks initially targeted Brazilian users, the operation’s geography expanded rapidly to encompass several continents. Lures ranged from fake invoices to business-style solicitations, frequently composed in Portuguese — a sign of carefully tailored social-engineering aimed at office workers and corporate environments.
The absence of assaults specifically targeting critical-infrastructure and the broad variety of delivered payloads suggest a commercially driven operation: its purpose is not strategic espionage but systematic profit — harvesting credentials, enabling remote control of infected hosts, and monetizing them within shadowy schemes.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
