Malicious ZIP distribution analyzed by SANS ISC shows a chain where a VHDX disk image is used as a container to expose JavaScript payload after automatic mounting on Windows, ultimately enabling Remcos RAT deployment. The risk is not a single exploit but abuse of file handling and user trust in disk images.
What changed#
A reported malicious archive (SHA256: a0104921a2d37ab87482ac9a9f5c3713479c118846c3e999178e75b81620c094) arrives as a ZIP file. Inside is a VHDX virtual disk image. On modern Windows systems, VHDX files can mount automatically or with minimal user interaction.
Once mounted, the disk reveals a JavaScript payload. That script is the execution layer that transitions the chain from passive storage to active compromise. The final payload observed in the chain is Remcos RAT, a remote access tool used for full system control.
The structure matters more than the individual components. ZIP hides VHDX. VHDX hides script. Script triggers execution. Each stage bypasses simpler static inspection.
Why does a VHDX delivery chain matter?#
It turns a storage format into an execution boundary bypass.
The abuse is not in VHDX itself but in how operating systems treat it as trusted infrastructure. Disk images are treated as neutral artifacts. That assumption breaks when they become carriers for active code.
The chain reduces visibility for endpoint tools that scan archives but do not fully inspect mounted virtual disks in real time.
Definition capsule:
VHDX is a Microsoft virtual hard disk format used to store full disk images that can be mounted as logical drives in Windows environments.
What to check in real environments#
Focus is not file type. Focus is mount behavior and secondary payload exposure.
- ZIP archives containing disk image formats: VHDX, VHD, ISO
- Automatic or user-initiated mounting events
- Script execution originating from newly mounted drives
- Unexpected JavaScript execution contexts outside browsers or development tools
- Correlation between archive extraction and new drive appearance
Comparison table: common delivery layers#
Layer | Visibility | Risk model | Typical blind spot
ZIP archive | High | Low until unpacked | Nested containers
VHDX disk image | Medium | Medium after mount | Treated as trusted storage
JavaScript payload | High after exposure | High | Execution outside expected host context
Each layer is benign in isolation. The combination creates the attack path.
What not to overclaim#
No indication in the sample itself that VHDX is a vulnerability. The risk is operational, not a CVE class issue. The attack relies on default OS behavior and user or system-triggered mounting.
The technique is not novel in concept. It is a repackaging of multi-layer hiding used to delay inspection.
FAQ#
What is the core risk here?
Execution hiding behind a trusted disk image format that is automatically mounted and inspected too late in the chain.
Is VHDX itself unsafe?
No. The risk comes from how it is used as a container for executable content.
Can endpoint detection catch this?
Only if it monitors mount events and script execution inside newly attached virtual drives.