1. Home
  2. Software
  3. Caminho

Caminho

Caminho is a downloader that has been used by threat actors since at least 2025 to deliver various strains of malware such as XWorm.[1]

ID: S9016
Associated Software: VMDetectLoader
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 16 April 2026
Last Modified: 16 April 2026
Version Permalink

Associated Software Descriptions

Name Description
VMDetectLoader

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

Caminho can deobfuscate downloaded files prior to execution.[1]
Enterprise T1105 Ingress Tool Transfer

Caminho has the ability to download files onto compromised hosts.[1]
Enterprise T1106 Native API

Caminho can use System.Net.WebClient.downloadString() for file download.[1]
Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Caminho can use junk code for obfuscation.[1]
.013 Obfuscated Files or Information: Encrypted/Encoded File

Caminho can use code flattening for payload obfuscation.[1]
Enterprise T1055 .012 Process Injection: Process Hollowing

Caminho has launched and hollowed out MSBuild.exe to host malicious code.[1]

Groups That Use This Software

ID Name References
G0099 APT-C-36

APT-C-36 has used Caminho during operations.[1]

References

  1. Pellegrino, G. (2025, December 16). BlindEagle Targets Colombian Government Agency with Caminho and DCRAT. Retrieved April 16, 2026.