Caminho Loader-as-a-Service Uses Steganography for Malware Delivery

Cybersecurity researchers have identified a new threat called Caminho, a Loader-as-a-Service (LaaS) that hides .NET payloads in images using Least Significant Bit (LSB) steganography. Active since March 2025, this operation targets businesses through spear-phishing emails with social engineering bait. The attack involves JavaScript or VBScript files that fetch obfuscated PowerShell code, which then extracts the malicious payload from images hosted on trusted sites. This fileless approach, combined with anti-analysis tricks, makes Caminho hard to detect. The loader injects final malware into benign processes and sets up persistence through scheduled tasks.

Latest mentioned: 10-23

Earliest mentioned: 10-22

Sources

gbhackers.com thecyberexpress.com cybersum.net

Also Read

Cryptocurrency Developers Targeted by NuGet Supply Chain Attack

Socket’s Threat Research Team discovered a sophisticated supply chain attack on the NuGet package registry targeting cryptocurrency developers. The malicious package, Netherеum.All, exploited a homoglyph attack by using a Cyrillic 'e' to impersonate the legitimate Nethereum library. This package exfiltrated sensitive wallet data, including private keys and mnemonics. The attack leveraged NuGet’s permissive Unicode naming rules, which do not restrict identifiers to ASCII characters. The malicious package was published on October 16, 2025, and removed by NuGet on October 20, 2025. The attackers also inflated download counts to make the package appear legitimate. Researchers linked this attack to an earlier typosquat named NethereumNet, indicating a persistent threat.

10-24Read more →