New VIP Keylogger Malware Campaign Targets Credentials via Phishing and Stealthy Execution
A recently uncovered malware campaign is deploying VIP Keylogger to steal credentials through sophisticated phishing tactics, hidden payloads, and in-memory execution techniques. The attacks begin with social engineering, luring victims into opening a seemingly legitimate "purchase order" attachment a RAR archive containing a malicious executable.
Once executed, the malware loads its final payload directly into memory, avoiding disk-based detection. Researchers identified multiple variants of the campaign, each employing different packaging and execution methods while maintaining the same objective: silent deployment of VIP Keylogger to harvest sensitive data from browsers, email clients, chat applications, and file transfer tools.
Stealthy Delivery and Evasion Tactics
The campaign employs advanced evasion techniques to bypass security measures:
- Steganography & Process Hollowing: In one variant, a .NET executable concealed two DLLs in its resource section. One DLL extracted the next stage, which then retrieved the final payload from a hidden PNG image. The malware used process hollowing launching a legitimate process in suspended mode, replacing its memory with malicious code, and resuming execution.
- Direct In-Memory Execution: Another variant stored an AES-encrypted payload in its
.datasection. After decryption, it disabled Windows security monitoring (AMSI and ETW) and loaded VIP Keylogger via the Common Language Runtime (CLR), evading defensive checks.
The campaign appears linked to a malware-as-a-service (MaaS) model, with some payload features disabled or configurable, suggesting customization for different buyers.
Broad Credential Theft Capabilities
VIP Keylogger targets a wide range of sensitive data, including:
- Saved logins, cookies, credit card details, autofill data, download history, and browsing URLs from Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi).
- Firefox-based browser credentials via the
PK11SDR_DecryptAPI fromnss3.dll. - Exfiltration via multiple channels, including FTP, SMTP (port 587), Telegram, Discord, and HTTP POST.
Indicators of Compromise (IoCs)
Researchers shared the following hashes linked to the campaign:
- D1DF5D64C430B79F7E0E382521E96A14 (MD5) – Trojan (700000211)
- E7C42F2D0FF38F1B9F51DC5D745418F5 (MD5) – Trojan (006d73c21)
- EA72845A790DA66A7870DA4DA8924EB3 (MD5) – Trojan (005d5f371)
- 694C313B660123F393332C2F0F7072B5 (MD5) – Spyware (004bf6371)
The campaign underscores how threat actors combine phishing, steganography, and fileless execution to create scalable, hard-to-detect credential theft operations.
Source: https://cyberpress.org/vip-keylogger-steals-credentials/
Viper cybersecurity rating report: https://www.rankiteo.com/company/viper
"id": "VIP1773145966",
"linkid": "viper",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'attack_vector': 'Phishing (RAR archive with malicious executable)',
'data_breach': {'data_exfiltration': ['FTP',
'SMTP (port 587)',
'Telegram',
'Discord',
'HTTP POST'],
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Saved logins',
'Cookies',
'Credit card details',
'Autofill data',
'Download history',
'Browsing URLs',
'Browser credentials',
'Email client credentials',
'Chat application credentials',
'File transfer tool '
'credentials']},
'description': 'A recently uncovered malware campaign is deploying VIP '
'Keylogger to steal credentials through sophisticated phishing '
'tactics, hidden payloads, and in-memory execution techniques. '
'The attacks begin with social engineering, luring victims '
"into opening a seemingly legitimate 'purchase order' "
'attachment—a RAR archive containing a malicious executable. '
'Once executed, the malware loads its final payload directly '
'into memory, avoiding disk-based detection. The campaign '
'employs advanced evasion techniques such as steganography, '
'process hollowing, and direct in-memory execution to bypass '
'security measures. VIP Keylogger targets sensitive data from '
'browsers, email clients, chat applications, and file transfer '
'tools, exfiltrating via FTP, SMTP, Telegram, Discord, and '
'HTTP POST.',
'impact': {'data_compromised': 'Saved logins, cookies, credit card details, '
'autofill data, download history, browsing '
'URLs, browser credentials, email client '
'credentials, chat application credentials, '
'file transfer tool credentials',
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': 'Windows systems with Chromium-based browsers '
'(Chrome, Edge, Brave, Opera, Vivaldi), '
'Firefox-based browsers, email clients, chat '
'applications, file transfer tools'},
'initial_access_broker': {'entry_point': 'Phishing (RAR archive with '
'malicious executable)'},
'motivation': 'Credential Theft',
'post_incident_analysis': {'root_causes': 'Phishing, steganography, process '
'hollowing, in-memory execution, '
'disabled Windows security '
'monitoring (AMSI and ETW)'},
'references': [{'source': 'Cyber Incident Report'}],
'title': 'New VIP Keylogger Malware Campaign Targets Credentials via Phishing '
'and Stealthy Execution',
'type': 'Malware Campaign'}