A newly identified loader dubbed “Caminho” (Portuguese for “path”) has emerged as a sophisticated Loader-as-a-Service platform that uses Least Significant Bit (LSB) steganography to conceal malicious .NET payloads inside innocuous image files.
According to research from Arctic Wolf Labs, the operation was first observed in March 2025 and evolved significantly by June, expanding from South America into Africa and Eastern Europe.
Modular Loader-as-a-Service, Brazilian Origin
The investigation uncovered 71 sample variants all sharing the same core architecture and Portuguese-language artifacts across the code—strong indicators of Brazilian origin. Victim environments included Brazil, South Africa, Ukraine and Poland, suggesting the operation matured into multi-regional service rather than a single-campaign actor.
Victims were hit via spear-phishing attachments using business-themed social engineering. The first stage deployed obfuscated JavaScript or VBScript, which fetched a PowerShell script that in turn downloaded a steganographic image from legitimate platforms like archive.org.
Steganography and Fileless Execution
Caminho uses LSB steganography inside image files like JPGs or PNGs, to hide a payload. The PowerShell script extracts the embedded .NET loader from the image, loads it directly into memory without writing to disk and injects it into a legitimate Windows process such as calc.exe. Researchers described the technical routine stating, “[the script] loads the extracted BMP as a Bitmap object and iterates through every pixel… these color channel values encode the concealed binary data.”
This “fileless” execution model helps evade traditional disk-based detection. Persisting via scheduled tasks named “amandes” or “amandines”, the loader continues even after reboots.
Delivery Infrastructure and Payload Diversity
The delivery chain is modular. After the loader executes, it fetches final-stage malware via URLs passed as arguments. Payloads already observed include the commercial remote access trojan REMCOS RAT, XWorm and credential-stealer Katz Stealer.
By reusing steganographic images and C2 infrastructure across campaigns, the operation mirrors a LaaS (Loader-as-a-Service) business model. One example: the image file “universe-1733359315202-8750.jpg” appeared in multiple campaigns with different payloads.
Their infrastructure is likewise cleverly designed. The campaign leverages legitimate services like Archive.org to host stego-images and paste-style services, like paste.ee, pastefy.app, for script staging, blending malicious content amid benign traffic. For command and control the campaign used domains such as “cestfinidns.vip” on AS214943 (Railnet LLC), known for bullet-proof hosting.
Caminho poses challenges to defenders because:
-
Steganographic images evade signature-based detection and appear harmless.
-
Fileless execution avoids writing payloads to disk, limiting forensic traceability.
-
The modular service architecture allows multiple malware families at scale.
-
Use of legitimate hosting and staging reduces network-based red flags.
-
Portuguese-language artifacts and targeting in Brazilian business hours suggest regional origin, but infrastructure supports global operations.
Caminho demonstrates how modern loaders blend legacy attack crafts—script drop from phishing, process injection and sleeper tasks—with advanced evasion via steganography and service-like architectures. As the campaign expands its geography and payload support, organizations in targeted regions—particularly South America, Africa and Eastern Europe—should assume exposure, hunt proactively and validate the integrity of image files, download origins and process trees.
