Caminho Loader, a novel Loader-as-a-Service (LaaS) operation, is leveraging a sophisticated blend of steganography, fileless execution, and cloud service abuse to covertly distribute malware across multiple continents. First observed in March 2025 and believed to originate from Brazil, this threat actor service embeds .NET payloads within seemingly innocuous image files hosted on trusted online platforms. The primary targets of Caminho Loader campaigns are organizations located in South America, Africa, and Eastern Europe, with confirmed victims identified in Brazil, South Africa, Ukraine, and Poland.
The attack methodology begins with highly convincing phishing emails. These emails often adopt legitimate business themes, such as invoices, quotations, or shipping notifications, to deceive recipients into opening attached archive files. Upon initial execution, typically triggered by opening an obfuscated JavaScript or VBScript file contained within these archives, Caminho Loader initiates a multi-stage infection chain designed to evade detection and operate discreetly. This service’s modular nature allows for the delivery of various malicious payloads, including popular remote access trojans (RATs) and infostealers like REMCOS RAT, XWorm, Katz Stealer, and AsyncRAT.
How Caminho Loader’s Steganographic Infection Chain Works
The infection chain employed by Caminho Loader is meticulously designed to blend with legitimate network activity, making it exceptionally challenging for traditional security measures to identify. This reliance on legitimate services at nearly every stage of the operation is a key factor in its effectiveness.
Following the initial execution of the malicious script from a phishing archive, Caminho Loader communicates with Pastebin-like services, such as paste.ee or pastefy.app. From these platforms, it downloads heavily obfuscated PowerShell code. This PowerShell stage then proceeds to access high-reputation cloud platforms, including archive.org, to retrieve image files that appear benign to both end-users and automated security tools.
The core of the steganographic technique lies within these image files. Caminho Loader embeds Base64-encoded .NET loader code using the Least Significant Bit (LSB) steganography method. LSB steganography works by subtly altering the least significant bits of pixel values within an image. These changes are imperceptible to the human eye, ensuring the image’s visual integrity remains intact while hiding the embedded data.
The PowerShell script then proceeds to scan the downloaded image file. It extracts the hidden data, reconstructs the .NET assembly directly in the system’s memory, and executes it. Crucially, this process bypasses traditional file-based antivirus solutions because the malicious executable is never written to the disk. The arguments passed to the loader typically include the URL for the final payload.
Once the Caminho Loader is operational in memory, it establishes a connection with attacker-controlled infrastructure. From this remote server, it downloads and executes the final chosen payload. This payload could be a RAT, an infostealer, or other malware designed for activities such as lateral movement within a network, credential theft, or establishing persistent long-term access. In one observed instance, AsyncRAT was injected into the legitimate AddInProcess32 process, further aiding its stealth by mimicking normal system operations.
An analysis performed by ANY.RUN analysts, who identify suspicious submissions within their interactive sandbox environment, provided crucial insights into Caminho Loader’s modus operandi. Their research highlighted the consistent utilization of steganography, in-memory execution, and a flexible delivery model across multiple samples. Furthermore, the presence of Portuguese strings and the distinctive “HackForums.gigajew” namespace in all analyzed samples strongly reinforces the attribution to Brazilian threat actors.
The significant impact of Caminho Loader stems from its service-oriented model. Instead of relying on a single, pre-defined malware, criminal customers can rent the delivery infrastructure provided by the service and integrate their own custom .NET payloads through standardized configuration parameters. This modularity allows for multiple, distinct campaigns to utilize the same steganographic images and initial scripts while delivering entirely different forms of malware to unsuspecting end targets. Consequently, a single loader infrastructure can effectively support campaigns focused on credential theft, espionage, or remote system control, depending on the specific goals of the threat actor operating it.
The ongoing evolution and adaptability of threats like Caminho Loader underscore the importance of multi-layered security strategies. As attackers continue to exploit cloud services and advanced evasion techniques such as steganography and fileless execution, organizations must remain vigilant. Future efforts by threat actors utilizing this service will likely focus on refining their phishing techniques and exploring new avenues for payload delivery, necessitating continuous adaptation of defensive measures by cybersecurity professionals.