Hackers Deploy VIP Keylogger Through Phishing Emails Masquerading as Business Documents

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Hackers are using deceptive phishing emails dressed up as routine business documents to spread a dangerous malware strain known as VIP Keylogger.

The campaign has been active for months, with attackers showing absolutely no signs of slowing down. VIP Keylogger is part of a broader wave of information-stealing malware that has taken over the threat landscape in recent years.

These tools are built to harvest sensitive data quickly and quietly, either acting alone or opening the door for more damaging follow-on attacks.

What sets VIP Keylogger apart is its resilience and the layered approach its operators use to avoid detection at every stage of infection.

Researchers from the Splunk Threat Research Team (STRT) published a detailed analysis of the malware, noting that VIP Keylogger campaigns have leaned heavily on social engineering tactics over the past several months.

Splunk Threat Research Team (STRT) said in a report shared with Cyber Security News (CSN), attackers are disguising malicious files as bank payment notifications, procurement orders, and logistics updates to trick targets into opening them.

VIP Keylogger Loader Phishing Campaign Names (Source – Splunk)

Once a user opens the file, a chain of events is set in motion that ultimately installs the keylogger deep inside the system. The infection process is multi-staged and carefully designed to stay hidden at every step.

By the time the final payload is active, the malware has already burrowed into a legitimate Windows process, making it very difficult to spot.

STRT collected and analyzed more than 200 VIP script loader samples captured between March and April 2026, using data sourced from VirusTotal to study how attackers name and deliver these files.

The research provides a detailed look at one of the more persistent malware families currently targeting Windows users worldwide.

Phishing Emails Deliver VIP Keylogger Through Layered Script Loaders

The initial infection begins with one of three script file types: a Visual Basic Script (.vbs), a JavaScript file (.js), or a batch script (.bat). Each of these loaders is heavily obfuscated using techniques such as junk code padding, hex encoding, and AES-encrypted PowerShell stagers to slip past security scans.

The .vbs loader hides its malicious payload in the middle of the file, sandwiched between large blocks of meaningless code.

Once decoded, it passes execution to a PowerShell stager that is written to a hidden environment variable called INTERNAL_DB_CACHE before running. Though stealthy, this technique leaves a detectable footprint in the Windows registry that security teams can monitor.

VIP Keylogger Loader Infection Chain (Source – Splunk)

One of the most creative tricks in VIP Keylogger’s playbook is steganography, where malicious code is hidden inside what appear to be ordinary image files.

The PowerShell stager downloads two .png files from a remote server, each secretly carrying encoded components of the final payload. Only after those images are decoded does the actual keylogger emerge and get injected into a legitimate Windows process called aspnet_compiler.exe.

VIP Keylogger Capabilities and How to Detect It

Once installed, VIP Keylogger is a serious threat to anyone on the infected machine. It captures every keystroke, takes periodic screenshots of the desktop, steals saved passwords and cookies from dozens of popular browsers, and scans the Windows registry for Outlook credentials.

VIP Keylogger Batch Script Loader (Source – Splunk)

It also monitors clipboard content in real time, silently replacing any copied cryptocurrency wallet addresses with ones controlled by the attacker.

The malware contacts multiple command-and-control servers to send stolen data, including through a Telegram bot. It also checks the victim’s IP address against known sandbox environments to avoid analysis, and deletes itself from disk after execution to cover its tracks.

STRT recommends monitoring registry changes tied to the UserInitMprLogonScript key, flagging PowerShell scripts that combine environment variables with dynamic execution commands, and watching for unusual processes launched from script-based parent processes.

Security teams should also watch for DNS queries directed at Telegram’s API domain, which can indicate active malware-driven data exfiltration.

Keeping systems patched, training staff to recognize phishing emails, and enabling PowerShell script block logging are practical first steps any organization can take to limit exposure to this active and evolving threat.

Indicators of Compromise (IoCs):-

Type Indicator Description
File Hash (SHA256) 95e6c6c13f65217f41c371abf6d03594b2bfed2259a181307ee41817b9f33871 VIP Keylogger loader sample
File Hash (SHA256) 9bea03676ab607349cc3accba0ddd VIP Keylogger loader sample
File Name img_085027.png Steganography image carrying encoded final payload
File Hash (SHA256) 2df582bb41d1e6f0a6d44e8dbc1d8bca8e3d332bb268688d1f59c65ebe64d0e8 VIP Keylogger component
File Hash (SHA256) 17ffe7ecbf1d5a4bc3768d896c9348d5de337baa0b0938e4283324d3b1e8ccbd VIP Keylogger component
File Hash (SHA256) eed694aab3b14b25dfcc6e7f69992b3f5543bcc9ebe86bd0b682e211f428613b VIP Keylogger component
File Hash (SHA256) fb4e866186133235a88e318df3059b010 VIP Keylogger component
File Hash (SHA256) 01f297ad2ab8dcab70822c839912cb67 VIP Keylogger component
File Hash (SHA256) 2e93de459e5608bea21014b25dfcc6e7f69992b3f5543bcc9ebe86bd0b682e211f4 VIP Keylogger component
File Hash (SHA256) 9bca7a3ac404807c63670141a3459eac24450e0cffbe109905c76ccf4ebdd12e VIP Keylogger component
File Hash (SHA256) 1df63047a3206026073781d88516927c6d68f6413e437e4a919b2007f6a2ade3 VIP Keylogger component
File Hash (SHA256) 2be71f8046 VIP Keylogger payload hash fragment
File Hash (SHA256) ae6918bfe8774e1ec1ec34f3db26e7e548dd0dc33a4e6faa2862e4d2c722c7bf VIP Keylogger sample
File Hash (SHA256) c86aa6c2c589455659b7a4ce6bb15cbdecb69250504d0b00bf3a9ac2209e3f60 VIP Keylogger sample
File Hash (SHA256) 00553aa0e89b79d5ad4a4b03f9b153d27d356c6e62648fa87c2c378af42801cc VIP Keylogger sample
File Hash (SHA256) d00ad4c93afcc23b9f8e5f56a8ddef81c1f4b3319793cca0789e92ef11ccc9ab VIP Keylogger sample
File Hash (SHA256) d411bdc621a34138aaee4db3 VIP Keylogger payload hash fragment
URL hxxps://vault88x[.]secure-efficient2[.]su/MSI_105759[.]png First steganography download URL (encoded downloader component)
URL hxxps://vault88x[.]secure-efficient2[.]su/img_085027[.]png Second steganography download URL (encoded final payload)
URL hxxps[:]//reallyfreegeoip[.]org/xml/ Geolocation lookup URL used by VIP Keylogger for C2 beaconing
URL hxxp[:]//checkip[.]dyndns[.]org/ IP check URL used for network and location data during C2 beaconing
Domain api.telegram[.]org Telegram Bot API domain used for C2 communication and data exfiltration

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.