Caminho Malware Loader Conceals .NET Payloads inside Images via LSB Steganography

Published 2025-10-23 15:30:30 | gbhackers.com
Malware Cybersecurity Threat Actor: Caminho Loader Operators Sector: Various (targeting Businesses) Region: South America, Africa, Eastern Europe

🎙️ Paranoid Newscast

🎭
Credibility
75%
📊
Risk Score
56%
🎲
Likelihood
8/10
💥
Impact
7/10
🛡️
Priority
4/5
Caminho, a Brazilian Loader-as-a-Service (LaaS), uses Least Significant Bit (LSB) steganography to hide .NET payloads in images, allowing malware to bypass defenses. This threat targets businesses across South America, Africa, and Eastern Europe, utilizing spear-phishing tactics to deliver its payloads.

Caminho, a Brazilian Loader-as-a-Service (LaaS), has been uncovered by cybersecurity researchers at Arctic Wolf Labs. Active since March 2025, this malware loader conceals .NET payloads inside images using Least Significant Bit (LSB) steganography, turning everyday images into Trojan horses for malware. The operation has evolved rapidly, allowing attackers to smuggle remote access tools and infostealers past defenses.

The attack begins with spear-phishing emails containing social engineering bait, disguised as RAR or ZIP archives with JavaScript or VBScript files. Once opened, these scripts fetch obfuscated PowerShell code from pastebin services, which then downloads seemingly innocent images from trusted sites like archive.org. Hidden within these JPG or PNG files is a .NET loader named Caminho, which extracts the payload via LSB steganography.

This fileless approach, combined with anti-analysis tricks, makes Caminho particularly difficult to detect. The loader injects the final malware into benign processes and sets up persistence through scheduled tasks. The operation is financially driven, with a business model that allows operators to rent the loader for delivering custom malware.