New Brazilian Malware Caminho Loader Employs Steganography in Global Campaign Deploying Remcos RAT, XWorm, Katz Stealer
Published
- Advanced evasion: A new malware loader uses LSB steganography to conceal malicious .NET payloads within image files hosted on legitimate platforms.
- Brazilian origin: A Brazilian threat actor is believed to be behind it due to extensive Portuguese-language artifacts in the code and initial targeting patterns.
- Diverse payloads: The campaign operates as a LaaS, delivering multiple malware families, including REMCOS RAT, XWorm, and Katz Stealer, to victims worldwide.
A sophisticated malware operation originating from Brazil, named the Caminho Loader malware campaign, has been identified targeting organizations across South America, Africa, and Eastern Europe. Active since at least March 2025, the campaign leverages a multi-stage infection chain that begins with spear-phishing emails containing business-themed lures.Â
Steganography and Fileless Execution Techniques
This Loader-as-a-Service (LaaS) model demonstrates a significant evolution in evasion techniques, employing Least Significant Bit (LSB) steganography to hide its malicious components in plain sight and deliver a variety of dangerous payloads.
The infection process starts when a user opens a JavaScript or VBScript file from a compressed email attachment, according to the latest Arctic Wolf report. A fake invoice is one of the most common formats used for phishing.
This script retrieves an obfuscated PowerShell payload from a pastebin service, which then downloads a seemingly harmless image from a legitimate hosting service like archive.org. The PowerShell script extracts the hidden Caminho .NET loader from the image's pixel data.Â
This loader is then executed directly in memory, a fileless technique that avoids writing to the disk. The loader proceeds to download and inject the final payload, such as REMCOS RAT, into a legitimate process like calc.exe.
Global Cybersecurity Threats and LaaS Model
The Caminho Loader's architecture strongly indicates a LaaS business model, where the operators sell access to their sophisticated delivery infrastructure to other cybercriminals. This is evidenced by the standardized loader being used to deliver multiple, distinct malware families to different targets.Â
The Brazilian malware campaign expanded its geographic reach in June 2025, coinciding with its adoption of steganography, which points to a maturing operation.Â
These advanced cybersecurity threats highlight the increasing use of legitimate services and advanced evasion tactics to bypass traditional security controls, making detection and mitigation more challenging for security teams.
In August, TechNadu reported on a sustained TAG-144 (Blind Eagle) campaign targeting South American governments via legitimate platforms and steganography to deploy AsyncRAT, DcRAT, Remcos RAT, XWorm, and LimeRAT.
In February, the UAC-0173 cybercriminal group targeted Ukrainian notaries with DcRAT and XWorm.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular