Large-Scale Spear-Phishing Campaign Distributes VIP Keylogger via Malware-as-a-Service
A sophisticated spear-phishing campaign is distributing a VIP Keylogger variant as part of a Malware-as-a-Service (MaaS) operation, employing advanced evasion techniques to harvest credentials from browsers, email clients, and collaboration tools. The attack leverages steganography, in-memory execution, and modular payload design to bypass traditional defenses.
Attack Vector & Execution
The campaign begins with fraudulent purchase-order emails, tricking victims into opening a RAR file attachment containing an executable disguised as a spreadsheet (ÜRÜN ÇİZİMİ VE TEKNİK ÖZELLİKLERİ_xlsx.exe). Upon execution, the malware loads VIP Keylogger directly into memory, avoiding disk-based detection.
Researchers identified multiple samples on VirusTotal, with consistent payload behavior despite variations in social engineering lures. The malware employs process hollowing, dynamically retrieving functions from Kernel32.dll and Ntdll.dll to unpack and execute the keylogger.
In some cases, the payload is concealed within AES-encrypted bytes in the .data section of a .NET Portable Executable (PE). The loader disables Windows AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) before executing the keylogger via the CLR runtime.
Credential Theft Capabilities
Once active, the keylogger targets over 40 Chromium-based browsers (Chrome, Brave, Vivaldi, Opera), extracting:
- Stored passwords (via Windows DPAPI for AES-256 GCM-encrypted data)
- Browser cookies & autofill data
- Payment information (stored in SQLite databases)
For Mozilla-based browsers (Firefox, Waterfox, Thunderbird), it uses PK11SDR_Decrypt from nss3.dll to retrieve saved logins. The malware also harvests:
- Email credentials (Outlook via registry, Foxmail, Thunderbird)
- Discord tokens, FileZilla server credentials, and Pidgin chat accounts (from plaintext config files)
- Wi-Fi credentials, clipboard data, and screenshots (though these features were dormant in observed samples)
Exfiltration & Infrastructure
Stolen data is exfiltrated via FTP, Telegram, Discord, web POST requests, and SMTP. Analyzed samples sent credentials from logs@gtpv[.]online to log@gtpv[.]online using hosting2[.]ro.hostsailor[.]com over port 587.
MaaS Model & Customization
The VIP Keylogger operates under a Malware-as-a-Service model, with some variants lacking Anti-VM detection, Process Killer, or Downloader modules, suggesting client-specific customization.
Indicators of Compromise (IOCs)
- D1DF5D64C430B79F7E0E382521E96A14 (Trojan)
- E7C42F2D0FF38F1B9F51DC5D745418F5 (Trojan)
- EA72845A790DA66A7870DA4DA8924EB3 (Trojan)
- 694C313B660123F393332C2F0F7072B5 (Spyware)
The campaign highlights the growing threat of stealthy, in-memory malware delivered via social engineering, underscoring the need for advanced detection mechanisms.
Source: https://gbhackers.com/maas-vip-keylogger-campaign/
Unknown Cyber Inc cybersecurity rating report: https://www.rankiteo.com/company/unknowncyber
"id": "UNK1773059055",
"linkid": "unknowncyber",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'attack_vector': 'Email (fraudulent purchase-order emails with RAR file '
'attachments)',
'data_breach': {'data_encryption': 'AES-256 GCM (for browser data), '
'PK11SDR_Decrypt (for Mozilla-based '
'browsers)',
'data_exfiltration': 'Yes (FTP, Telegram, Discord, web POST '
'requests, SMTP)',
'file_types_exposed': ['SQLite databases',
'Plaintext config files',
'Registry data'],
'personally_identifiable_information': 'Yes (payment '
'information, '
'credentials, tokens)',
'sensitivity_of_data': 'High (PII, financial data, '
'authentication tokens)',
'type_of_data_compromised': ['Credentials',
'Browser data',
'Email credentials',
'Collaboration tool tokens',
'Wi-Fi credentials',
'Clipboard data',
'Screenshots']},
'description': 'A sophisticated spear-phishing campaign is distributing a VIP '
'Keylogger variant as part of a Malware-as-a-Service (MaaS) '
'operation, employing advanced evasion techniques to harvest '
'credentials from browsers, email clients, and collaboration '
'tools. The attack leverages steganography, in-memory '
'execution, and modular payload design to bypass traditional '
'defenses.',
'impact': {'data_compromised': 'Stored passwords, browser cookies, autofill '
'data, payment information, email credentials, '
'Discord tokens, FileZilla server credentials, '
'Pidgin chat accounts, Wi-Fi credentials, '
'clipboard data, screenshots',
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': 'Windows systems with Chromium-based browsers, '
'Mozilla-based browsers, email clients '
'(Outlook, Foxmail, Thunderbird), '
'collaboration tools (Discord, Pidgin)'},
'initial_access_broker': {'entry_point': 'Spear-phishing email with RAR '
'attachment'},
'lessons_learned': 'The campaign highlights the growing threat of stealthy, '
'in-memory malware delivered via social engineering, '
'underscoring the need for advanced detection mechanisms '
'(e.g., behavioral analysis, memory forensics).',
'motivation': 'Credential theft, data exfiltration, financial gain (MaaS '
'model)',
'post_incident_analysis': {'corrective_actions': ['Enhance email security '
'with AI-based phishing '
'detection.',
'Deploy memory forensics '
'and behavioral analysis '
'tools.',
'Implement credential '
'hygiene policies (e.g., '
'regular rotation, MFA).',
'Conduct red team exercises '
'to test defenses against '
'in-memory attacks.'],
'root_causes': ['Lack of advanced email filtering '
'to detect phishing lures.',
'Insufficient endpoint protection '
'against in-memory malware '
'execution.',
'Over-reliance on disk-based '
'detection methods.',
'Unsecured credential storage in '
'browsers and email clients.']},
'recommendations': ['Implement advanced email filtering to detect phishing '
'lures with malicious attachments.',
'Deploy endpoint detection and response (EDR) solutions '
'to monitor in-memory execution and process hollowing.',
'Disable or restrict macros and executable file types in '
'email attachments.',
'Educate employees on identifying spear-phishing attempts '
'and suspicious file types.',
'Monitor for unusual data exfiltration methods (e.g., '
'FTP, Telegram, Discord).',
'Regularly audit and rotate credentials stored in '
'browsers and email clients.',
'Enable multi-factor authentication (MFA) for critical '
'accounts.'],
'references': [{'source': 'VirusTotal'}],
'title': 'Large-Scale Spear-Phishing Campaign Distributes VIP Keylogger via '
'Malware-as-a-Service',
'type': 'Spear-Phishing, Malware (Keylogger), Credential Theft',
'vulnerability_exploited': 'Social engineering, in-memory execution, process '
'hollowing, AMSI/ETW bypass'}