Brazilian Caminho Loader Employs LSB Steganography and Fileless Execution to Deliver Multiple Malware Families Across South America, Africa, and Eastern Europe

Description

A new malware loader called Caminho, originating from Brazil, has been identified using steganography to hide .NET payloads in image files hosted on legitimate platforms. Active since March 2025, the campaign has evolved significantly, delivering various malware types across South America, Africa, and Eastern Europe. The multi-stage infection chain begins with phishing emails containing malicious scripts, leading to the download of steganographic images. The Caminho loader extracts and executes payloads in memory, establishing persistence through scheduled tasks. Analysis reveals consistent patterns and Portuguese language artifacts, indicating a Loader-as-a-Service model. The operation targets multiple industries opportunistically, using bulletproof hosting for command and control.