Pulse Detail — Threat Intelligence

PULSE NAME

Brazilian Caminho Loader Employs LSB Steganography and Fileless Execution to Deliver Multiple Malware Families Across South America, Africa, and Eastern Europe.

WHITE PetrP.73 2025-10-22 Modified: 2025-11-21

IOCs

HIGH VOLUME

↓ CSV ↓ JSON

The Caminho Loader, identified by Arctic Wolf, is a sophisticated Brazilian-origin Loader-as-a-Service operation that employs Least Significant Bit (LSB) steganography to conceal malicious .NET payloads within image files hosted on legitimate platforms. Initial infection begins with spear-phishing emails that contain archived JavaScript or VBScript files, often using business-themed social engineering tactics. When executed, these scripts retrieve an obfuscated PowerShell payload that downloads steganographic images from services like archive.org, a digital archive known for its reputation and high availability.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1027 T1036 T1053 T1055 T1059 T1070 T1071 T1082 T1102 T1140 T1204 T1497 T1518 T1566 T1573 T1127 T1199 T1105 T1003 T1564 T1559

MALWARE FAMILIES

Caminho Loader Caminho XWorm Katz REMCOS

Indicators of Compromise (64)

All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain

TYPE	INDICATOR	DESCRIPTION	CREATED
CVE	CVE-2025-61884	—	2025-10-22
FileHash-MD5	1517ce8a9d9ff6d0ddbe3c6616061e3b	MD5 of c3560bfa9483e7894243e613c55744b7f1705a53969f797f5fe8b2cb4fb336cc	2025-10-22
FileHash-MD5	1f73e7258fda2c5b7719591a35b65c43	MD5 of c5208189f4851b8ff525bf3cd74767e89af4ef256b256ed1143f4c8f3a48b01f	2025-10-22
FileHash-MD5	3603ce51b80bf50f15dcfd7addaf0476	MD5 of 6291a85dd9c6288c9997c930cb243d29d671a1c3e0dbd6e0c2fb707355c400a3	2025-10-22
FileHash-MD5	3a2c528535fb5717816b04ab459933c0	MD5 of c2bce00f20b3ac515f3ed3fd0352d203ba192779d6b84dbc215c3eec3a3ff19c	2025-10-22
FileHash-MD5	3c751a9c652148b23521e06f23001132	—	2025-10-22
FileHash-MD5	413ef21e8e1da8ed8b5fa89719938418	MD5 of 418fec787e2c694eb7b1c8c5d5afcc023a88a53ed4d29bac8260ff49d3682671	2025-10-22
FileHash-MD5	56a5e7c87e36960ce4dc9bba89d890dd	MD5 of 1ebab46691a0b5edd2b941c68180da9f6f38ca22b1de6c1804ccb0fda4956fe1	2025-10-22
FileHash-MD5	57902b374a5d9ff65879ca93198c2d60	MD5 of 44d77dad67d9f0bf41999c3510dddb208889bcca22f56adbaf18945a08ba8984	2025-10-22
FileHash-MD5	661728638da04ade17aab3002b2e6c12	MD5 of 89959ad7b1ac18bbd1e850f05ab0b5fce164596bce0f1f8aafb70ebd1bbcf900	2025-10-22
FileHash-MD5	722824f64af8dda95579a815c30bda26	MD5 of 74b48909de2532080d55fc85fb7f24665d68701c1c59c910ee7ad5b83c86695d	2025-10-22
FileHash-MD5	7b1ce80cd125a6d1652f87a1626b7c90	MD5 of 87c9bede1feac2e3810f3d269b4492fe0902e6303020171e561face400e9bdb4	2025-10-22
FileHash-MD5	7dbf033d9b0c170b46e6abfbc104c807	MD5 of 6513a6862e7cd9494566e56b6ccf2a88727f442ed217b73dc878d0097e7b0343	2025-10-22
FileHash-MD5	7dd4b992210313bce6ab4dfe262821fc	MD5 of 6216afeff2697e4010be6f4a76646360114bd73d555901c91cf26828531f0c24	2025-10-22
FileHash-MD5	83580969b9758ae2679b0f92a091db96	MD5 of 003cd08d0e4e3e53b5c2dd7e0ea292059f88f827d0cb025adf478d1f8e005fbd	2025-10-22
FileHash-MD5	8e7ded0089b6adfdd951b5d8175078f7	MD5 of 0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7	2025-10-22
FileHash-MD5	a783c45e84facd967ac27ddb5c21310f	MD5 of a6574dd934a98fc0421e771f30ad6db97af6714f919a6cc722f2213933b9e839	2025-10-22
FileHash-MD5	a7ccc97c5e1928600abf8ff956e4c397	MD5 of 592a21ec08f7f1755e4cb396da5e0d48ed6b9a3949c82ae6616eda95913416ee	2025-10-22
FileHash-MD5	d21d147d79518f4f89f2bed612f5ede4	MD5 of b932adbdbb14644366daed1bede62d9293868c9a3eecbffc7c4e6604d6d5b243	2025-10-22
FileHash-SHA1	1626f1ffa240cae5388afb5f9360e70faa54300c	SHA1 of 1ebab46691a0b5edd2b941c68180da9f6f38ca22b1de6c1804ccb0fda4956fe1	2025-10-22
FileHash-SHA1	1f3e09271fc0f70b6d8b78a32002770a5e090ad8	SHA1 of 6291a85dd9c6288c9997c930cb243d29d671a1c3e0dbd6e0c2fb707355c400a3	2025-10-22
FileHash-SHA1	2a9ab5e2de8f176f2f81d3d484e57ac6276e5f05	SHA1 of 74b48909de2532080d55fc85fb7f24665d68701c1c59c910ee7ad5b83c86695d	2025-10-22
FileHash-SHA1	412f7085360e8135073640f5914fb700386e601d	SHA1 of 89959ad7b1ac18bbd1e850f05ab0b5fce164596bce0f1f8aafb70ebd1bbcf900	2025-10-22
FileHash-SHA1	45771637dab1c2a5ea9779519234a25806539ddf	SHA1 of 6216afeff2697e4010be6f4a76646360114bd73d555901c91cf26828531f0c24	2025-10-22
FileHash-SHA1	4be0ac6b6e9a67694d1f498c0aa9d24469cd9d9d	SHA1 of 003cd08d0e4e3e53b5c2dd7e0ea292059f88f827d0cb025adf478d1f8e005fbd	2025-10-22
FileHash-SHA1	4cacd8460915fc4c5970fdf673d48e5210f74131	SHA1 of 87c9bede1feac2e3810f3d269b4492fe0902e6303020171e561face400e9bdb4	2025-10-22
FileHash-SHA1	501e5cc4cb65d55cff934e7447528fef5243578d	SHA1 of 0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7	2025-10-22
FileHash-SHA1	6567fec34c206a07c9e6b4ad680315c183dc7ee3	SHA1 of 44d77dad67d9f0bf41999c3510dddb208889bcca22f56adbaf18945a08ba8984	2025-10-22
FileHash-SHA1	78f4872c59a674e9af203e497188bd2b8a983e93	SHA1 of 418fec787e2c694eb7b1c8c5d5afcc023a88a53ed4d29bac8260ff49d3682671	2025-10-22
FileHash-SHA1	8a3a259eb4c7dd0db17d8be75aa0eb6cef1e384e	SHA1 of a6574dd934a98fc0421e771f30ad6db97af6714f919a6cc722f2213933b9e839	2025-10-22
FileHash-SHA1	93c482b74081dec2e97422ff7d9561cb67def712	SHA1 of c3560bfa9483e7894243e613c55744b7f1705a53969f797f5fe8b2cb4fb336cc	2025-10-22
FileHash-SHA1	9ad053576fb57ec7cb6198f8a2a556493da55967	SHA1 of 592a21ec08f7f1755e4cb396da5e0d48ed6b9a3949c82ae6616eda95913416ee	2025-10-22
FileHash-SHA1	b4b13763c262110327d235de1596f2cf03de0203	SHA1 of c5208189f4851b8ff525bf3cd74767e89af4ef256b256ed1143f4c8f3a48b01f	2025-10-22
FileHash-SHA1	b9fdb63ac8d4cf16e95f2e3baa2b9b76bbc2197b	SHA1 of 6513a6862e7cd9494566e56b6ccf2a88727f442ed217b73dc878d0097e7b0343	2025-10-22
FileHash-SHA1	ca6d4bd26cb6abf0c73981ff22af8d65fba60403	SHA1 of b932adbdbb14644366daed1bede62d9293868c9a3eecbffc7c4e6604d6d5b243	2025-10-22
FileHash-SHA1	d210a5be133c143bfb8005dc9804a70fcbe91810	SHA1 of c2bce00f20b3ac515f3ed3fd0352d203ba192779d6b84dbc215c3eec3a3ff19c	2025-10-22
FileHash-SHA256	003cd08d0e4e3e53b5c2dd7e0ea292059f88f827d0cb025adf478d1f8e005fbd	—	2025-10-22
FileHash-SHA256	0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7	—	2025-10-22
FileHash-SHA256	134c29f52884adc5a3050e5c820229e060308e7377c7125805a6bfccd0859361	—	2025-10-22
FileHash-SHA256	1d6e6f058ccb021143872bd068367bff6d665b742a34b2ad84d33e741d3841a8	—	2025-10-22
FileHash-SHA256	1ebab46691a0b5edd2b941c68180da9f6f38ca22b1de6c1804ccb0fda4956fe1	—	2025-10-22
FileHash-SHA256	418fec787e2c694eb7b1c8c5d5afcc023a88a53ed4d29bac8260ff49d3682671	—	2025-10-22
FileHash-SHA256	42761793d309a0e10b664de61fb25f8d915c65a86b4c5b6229c73d3992519fd5	—	2025-10-22
FileHash-SHA256	44d77dad67d9f0bf41999c3510dddb208889bcca22f56adbaf18945a08ba8984	—	2025-10-22
FileHash-SHA256	592a21ec08f7f1755e4cb396da5e0d48ed6b9a3949c82ae6616eda95913416ee	—	2025-10-22
FileHash-SHA256	6216afeff2697e4010be6f4a76646360114bd73d555901c91cf26828531f0c24	—	2025-10-22
FileHash-SHA256	6291a85dd9c6288c9997c930cb243d29d671a1c3e0dbd6e0c2fb707355c400a3	—	2025-10-22
FileHash-SHA256	6513a6862e7cd9494566e56b6ccf2a88727f442ed217b73dc878d0097e7b0343	—	2025-10-22
FileHash-SHA256	74b48909de2532080d55fc85fb7f24665d68701c1c59c910ee7ad5b83c86695d	—	2025-10-22
FileHash-SHA256	780438284cea7d935c900df9b61529664c533762e1dbc9bbec3085e6c19448d1	—	2025-10-22
FileHash-SHA256	87c9bede1feac2e3810f3d269b4492fe0902e6303020171e561face400e9bdb4	—	2025-10-22
FileHash-SHA256	89959ad7b1ac18bbd1e850f05ab0b5fce164596bce0f1f8aafb70ebd1bbcf900	—	2025-10-22
FileHash-SHA256	a0e2b00951c6327788e3cc834a2d5294c2b7f94aad344ec132fe78b30cce18cc	—	2025-10-22
FileHash-SHA256	a6574dd934a98fc0421e771f30ad6db97af6714f919a6cc722f2213933b9e839	—	2025-10-22
FileHash-SHA256	b932adbdbb14644366daed1bede62d9293868c9a3eecbffc7c4e6604d6d5b243	—	2025-10-22
FileHash-SHA256	bbed1022d04cdfb0d11550ada9f5c1d0a9437839b1e42bb80e057438055a382c	—	2025-10-22
FileHash-SHA256	c2bce00f20b3ac515f3ed3fd0352d203ba192779d6b84dbc215c3eec3a3ff19c	—	2025-10-22
FileHash-SHA256	c3560bfa9483e7894243e613c55744b7f1705a53969f797f5fe8b2cb4fb336cc	—	2025-10-22
FileHash-SHA256	c5208189f4851b8ff525bf3cd74767e89af4ef256b256ed1143f4c8f3a48b01f	—	2025-10-22
domain	cestfinidns.vip	—	2025-10-22
domain	ep-eps.com	—	2025-10-22
domain	serverdata-cloud.cloud	—	2025-10-22
domain	tagbox.io	—	2025-10-22
domain	virtualine.org	—	2025-10-22

References (1)

↗ https://arcticwolf.com/resources/blog/brazilian-caminho-loader-employs-lsb-steganography-to-deliver-multiple-malware-families/