Scams & Phishing News Open the wrong “PDF” and attackers gain remote access to your PC

[Brownie2019]

Content source

https://www.malwarebytes.com/blog/news/2026/02/open-the-wrong-pdf-and-attackers-gain-remote-access-to-your-pc

Cybercriminals behind a campaign dubbed DEAD#VAX are taking phishing one step further by delivering malware inside virtual hard disks that pretend to be ordinary PDF documents. Open the wrong “invoice” or “purchase order” and you won’t see a document at all. Instead, Windows mounts a virtual drive that quietly installs AsyncRAT, a backdoor Trojan that allows attackers to remotely monitor and control your computer.

It’s a remote access tool, which means attackers gain remote hands‑on‑keyboard control, while traditional file‑based defenses see almost nothing suspicious on disk.
From a high-level view, the infection chain is long, but every step looks just legitimate enough on its own to slip past casual checks.
Victims receive phishing emails that look like routine business messages, often referencing purchase orders or invoices and sometimes impersonating real companies. The email doesn’t attach a document directly. Instead, it links to a file hosted on IPFS (InterPlanetary File System), a decentralized storage network increasingly abused in phishing campaigns because content is harder to take down and can be accessed through normal web gateways.

The linked file is named as a PDF and has the PDF icon, but is actually a virtual hard disk (VHD) file. When the user double‑clicks it, Windows mounts it as a new drive (for example, drive E instead of opening a document viewer. Mounting VHDs is perfectly legitimate Windows behavior, which makes this step less likely to ring alarm bells.

Inside the mounted drive is what appears to be the expected document, but it’s actually a Windows Script File (WSF). When the user opens it, Windows executes the code in the file instead of displaying a PDF.

After some checks to avoid analysis and detection, the script injects the payload—AsyncRAT shellcode—into trusted, Microsoft‑signed processes such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, or sihost.exe. The malware never writes an actual executable file to disk. It lives and runs entirely in memory inside these legitimate processes, making detection and eventually at a later stage, forensics much harder. It also avoids sudden spikes in activity or memory usage that could draw attention.

For an individual user, falling for this phishing email can result in:
Theft of saved and typed passwords, including for email, banking, and social media.
Exposure of confidential documents, photos, or other sensitive files taken straight from the system.
Surveillance via periodic screenshots or, where configured, webcam capture.
Use of the machine as a foothold to attack other devices on the same home or office network.
How to stay safe
Because detection can be hard, it is crucial that users apply certain checks:

Don’t open email attachments until after verifying, with a trusted source, that they are legitimate.
Make sure you can see the actual file extensions. Unfortunately, Windows allows users to hide them. So, when in reality the file would be called invoice.pdf.vhd the user would only see invoice.pdf. To find out how to do this, see below.
Use an up-to-date, real-time anti-malware solution that can detect malware hiding in memory.
Showing file extensions on Windows 10 and 11
To show file extensions in Windows 10 and 11:
Open Explorer (Windows key + E)
In Windows 10, select View and check the box for File name extensions.
In Windows 11, this is found under View > Show > File name extensions.
Alternatively, search for File Explorer Options to uncheck Hide extensions for known file types.

 

[Bot]

What you quoted is a very realistic (and effective) phishing pattern because each individual step uses “normal” Windows features: a VHD mount, then script execution, then abuse of trusted signed processes (living-off-the-land + in-memory payload). That combination is exactly why it can slip past “I only open PDFs” habits.

Why this works (in plain terms)

• The file “looks like a PDF” (name/icon), but it’s actually a disk image (VHD). Windows can mount it without any obvious warning.
• Inside that new drive, the “PDF” is actually a script container (WSF), and double‑clicking executes code (it does not “open a document”).
• The payload runs in memory (often via injection into legitimate Windows/Microsoft processes), reducing classic on‑disk indicators.

Practical defenses that help most (home users)

• Show file extensions (as your quote already recommends). This breaks a lot of “invoice.pdf.vhd” tricks immediately.
• Treat VHD/VHDX/ISO and script files as dangerous when they arrive via email/links:
  • Disk images: .vhd, .vhdx, .iso, .img
  • Scripts: .wsf, .js, .vbs, .jse, .vbe, .hta, .cmd, .bat, .ps1
• Keep Microsoft Defender (or equivalent) fully updated and enable cloud-delivered protection + Tamper Protection. These campaigns rely on being “a step ahead” of stale signatures.
• Keep SmartScreen enabled (Windows + Microsoft Edge). It won’t stop everything, but it’s a low-friction layer that often catches fresh phishing infrastructure and suspicious downloads.
• Use standard-user daily accounts (not admin) where possible. It doesn’t prevent execution, but it can reduce what the malware can change system-wide.

Stronger mitigations (advanced / business-friendly)
If you manage multiple PCs, these are the kinds of controls that materially reduce this entire class of attack:

• Block or restrict Windows Script Host (WSH) if your environment doesn’t need it (WSF/VBS/JS are common malware loaders). This is a common hardening step in many orgs.
• Application control (WDAC / AppLocker) to block script interpreters or to only allow trusted-signed scripts.
• Microsoft Defender Attack Surface Reduction (ASR) rules to reduce script- and email-launched malware paths (exact rule choices depend on environment/testing).
• Email/web filtering to block disk image and script attachments, and to detonate/sandbox downloads linked from emails (especially “invoice / purchase order” themed messages).

If someone already clicked it
Because AsyncRAT is a remote-access trojan, treat it as a potential credential/session compromise:

• Disconnect the PC from the network (Wi‑Fi/Ethernet) to cut off remote control.
• Run an offline scan first (e.g., Microsoft Defender Offline), then follow with reputable second-opinion scanners.
• From a separate known-clean device: change passwords for email first (because it’s the “password reset hub”), then banking/critical accounts, and enable MFA where available.
• If it’s a work device: escalate to your IT/security team (EDR investigation is the right level of response for in-memory/injection behavior).

Net: the “show extensions” advice is good, but the bigger win is to treat disk images + script files as executable content, and reduce/disable script execution paths where you can.

 

[Halp2001]

Opening the wrong PDF is like summoning a grimoire without checking the cover: sometimes it brings wisdom, other times it unleashes the demon of malware.

 

[Parkinsond]

Checking file properties beforing opening downloaded file takes only a couple of seconds.

 

[Divergent]

Technical Analysis & Remediation

Attack Chain & Telemetry

Delivery
Phishing emails containing links to content hosted on IPFS (InterPlanetary File System) to evade takedowns and gateway blocking.

Masquerading
The payload is a .vhd file named to appear as a PDF (e.g., invoice.pdf.vhd), utilizing the default Windows behavior of hiding known file extensions.

Execution
User double-clicks the VHD; Windows mounts it as a virtual drive (e.g., E).

User opens a contained Windows Script File (WSF), believing it to be a document.

Script executes, performing anti-analysis checks before payload injection.

MITRE ATT&CK Mapping

T1566.002 (Phishing: Spearphishing Link)
Use of IPFS links.

T1036.003 (Masquerading: Rename System Utilities) Misleading file extensions (.pdf.vhd).

T1027 (Obfuscated Files or Information)
Hiding malware inside VHD containers.

T1055 (Process Injection)
Injecting AsyncRAT shellcode into legitimate processes.

Live Evidence / IOCs

Campaign Tag
DEAD#VAX

File Pattern
invoice.pdf.vhd, purchase order.pdf.vhd

Targeted Processes for Injection
RuntimeBroker.exe

OneDrive.exe

taskhostw.exe

sihost.exe

Network Artifacts
Traffic to IPFS gateways combined with VHD downloads.

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment

Block VHD/ISO
Implement email gateway rules to block or quarantine .vhd, .vsdx, and .iso attachments or downloads, as legitimate business use via email is rare.

IPFS Filtering
Block access to known public IPFS gateways at the web proxy level to sever the delivery chain.

Endpoint Hunting
Query EDR for wscript.exe or cscript.exe spawning from a non-system drive letter (e.g., E:, F) or mounting events associated with VHDs.

Phase 2: Eradication

Memory Scanning
Since AsyncRAT runs purely in memory, initiate full memory scans using endpoint protection suites capable of detecting behavioral anomalies in RuntimeBroker.exe and sihost.exe.

Script Blocking
Enforce policy to prevent WSF/JScript execution by default or associate .js/.wsf files with Notepad instead of the Windows Script Host.

Phase 3: Recovery

Credential Reset
Force password resets for all users who executed the VHD, as AsyncRAT prioritizes stealing saved passwords from browsers and email clients.

Re-image
For confirmed infections, re-imaging is recommended due to the potential for deep persistence and lateral movement.

Phase 4: Lessons Learned
Update security awareness training to specifically highlight "double extension" attacks and the danger of mounting external files.

Remediation - THE HOME USER TRACK

Priority 1: Safety (Identity & Isolation)

Disconnect
Immediately disconnect the infected PC from the internet to stop the attacker from controlling the device or accessing the webcam.

Unhide Extensions
Enable "File name extensions" in Windows View settings. This reveals the true nature of files like invoice.pdf.vhd so you aren't tricked by the icon.

Priority 2: Scan & Clean

Run Antivirus
Perform a "Full Scan" using Malwarebytes or Windows Defender. Ensure the definition database is up-to-date to detect the memory-resident payload.

Check "Mounted" Drives
Open "This PC" in File Explorer. If you see a drive you don't recognize (like E: or F), right-click and select "Eject".

Priority 3: Account Recovery

Change Passwords
Using a different, clean device (like your phone), change passwords for your email, bank, and social media. AsyncRAT steals these instantly.

Hardening & References

Baseline
CIS Benchmark for Windows 10/11: Ensure "Hide extensions for known file types" is DISABLED (scored recommendation).

Attack Surface Reduction (ASR)

Rule
"Block JavaScript or VBScript from launching downloaded executable content."

Reference
NIST SP 800-83 (Guide to Malware Incident Prevention and Handling).

Malwarebytes Threat Intelligence

Securonix (Campaign Origin)

ThreatDown (Infrastructure Analysis)

Malwarebytes Labs (Payload Analysis)

 

[Andy Ful]

It is an old and well-known method. However, a more prevalent version is the VHD file without a PDF icon, with an embedded shortcut that has a PDF icon and a hidden WSH file (or another script).