Hackers are using deceptive phishing emails dressed up as routine business documents to spread a dangerous malware strain known as VIP Keylogger.
The campaign has been active for months, with attackers showing absolutely no signs of slowing down. VIP Keylogger is part of a broader wave of information-stealing malware that has taken over the threat landscape in recent years.
These tools are built to harvest sensitive data quickly and quietly, either acting alone or opening the door for more damaging follow-on attacks.
What sets VIP Keylogger apart is its resilience and the layered approach its operators use to avoid detection at every stage of infection.
Researchers from the Splunk Threat Research Team (STRT) published a detailed analysis of the malware, noting that VIP Keylogger campaigns have leaned heavily on social engineering tactics over the past several months.
Splunk Threat Research Team (STRT) said in a report shared with Cyber Security News (CSN), attackers are disguising malicious files as bank payment notifications, procurement orders, and logistics updates to trick targets into opening them.
Once a user opens the file, a chain of events is set in motion that ultimately installs the keylogger deep inside the system. The infection process is multi-staged and carefully designed to stay hidden at every step.
By the time the final payload is active, the malware has already burrowed into a legitimate Windows process, making it very difficult to spot.
STRT collected and analyzed more than 200 VIP script loader samples captured between March and April 2026, using data sourced from VirusTotal to study how attackers name and deliver these files.
The research provides a detailed look at one of the more persistent malware families currently targeting Windows users worldwide.
Phishing Emails Deliver VIP Keylogger Through Layered Script Loaders
The initial infection begins with one of three script file types: a Visual Basic Script (.vbs), a JavaScript file (.js), or a batch script (.bat). Each of these loaders is heavily obfuscated using techniques such as junk code padding, hex encoding, and AES-encrypted PowerShell stagers to slip past security scans.
The .vbs loader hides its malicious payload in the middle of the file, sandwiched between large blocks of meaningless code.
Once decoded, it passes execution to a PowerShell stager that is written to a hidden environment variable called INTERNAL_DB_CACHE before running. Though stealthy, this technique leaves a detectable footprint in the Windows registry that security teams can monitor.
One of the most creative tricks in VIP Keylogger’s playbook is steganography, where malicious code is hidden inside what appear to be ordinary image files.
The PowerShell stager downloads two .png files from a remote server, each secretly carrying encoded components of the final payload. Only after those images are decoded does the actual keylogger emerge and get injected into a legitimate Windows process called aspnet_compiler.exe.
VIP Keylogger Capabilities and How to Detect It
Once installed, VIP Keylogger is a serious threat to anyone on the infected machine. It captures every keystroke, takes periodic screenshots of the desktop, steals saved passwords and cookies from dozens of popular browsers, and scans the Windows registry for Outlook credentials.
It also monitors clipboard content in real time, silently replacing any copied cryptocurrency wallet addresses with ones controlled by the attacker.
The malware contacts multiple command-and-control servers to send stolen data, including through a Telegram bot. It also checks the victim’s IP address against known sandbox environments to avoid analysis, and deletes itself from disk after execution to cover its tracks.
STRT recommends monitoring registry changes tied to the UserInitMprLogonScript key, flagging PowerShell scripts that combine environment variables with dynamic execution commands, and watching for unusual processes launched from script-based parent processes.
Security teams should also watch for DNS queries directed at Telegram’s API domain, which can indicate active malware-driven data exfiltration.
Keeping systems patched, training staff to recognize phishing emails, and enabling PowerShell script block logging are practical first steps any organization can take to limit exposure to this active and evolving threat.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File Hash (SHA256) | 95e6c6c13f65217f41c371abf6d03594b2bfed2259a181307ee41817b9f33871 | VIP Keylogger loader sample |
| File Hash (SHA256) | 9bea03676ab607349cc3accba0ddd | VIP Keylogger loader sample |
| File Name | img_085027.png | Steganography image carrying encoded final payload |
| File Hash (SHA256) | 2df582bb41d1e6f0a6d44e8dbc1d8bca8e3d332bb268688d1f59c65ebe64d0e8 | VIP Keylogger component |
| File Hash (SHA256) | 17ffe7ecbf1d5a4bc3768d896c9348d5de337baa0b0938e4283324d3b1e8ccbd | VIP Keylogger component |
| File Hash (SHA256) | eed694aab3b14b25dfcc6e7f69992b3f5543bcc9ebe86bd0b682e211f428613b | VIP Keylogger component |
| File Hash (SHA256) | fb4e866186133235a88e318df3059b010 | VIP Keylogger component |
| File Hash (SHA256) | 01f297ad2ab8dcab70822c839912cb67 | VIP Keylogger component |
| File Hash (SHA256) | 2e93de459e5608bea21014b25dfcc6e7f69992b3f5543bcc9ebe86bd0b682e211f4 | VIP Keylogger component |
| File Hash (SHA256) | 9bca7a3ac404807c63670141a3459eac24450e0cffbe109905c76ccf4ebdd12e | VIP Keylogger component |
| File Hash (SHA256) | 1df63047a3206026073781d88516927c6d68f6413e437e4a919b2007f6a2ade3 | VIP Keylogger component |
| File Hash (SHA256) | 2be71f8046 | VIP Keylogger payload hash fragment |
| File Hash (SHA256) | ae6918bfe8774e1ec1ec34f3db26e7e548dd0dc33a4e6faa2862e4d2c722c7bf | VIP Keylogger sample |
| File Hash (SHA256) | c86aa6c2c589455659b7a4ce6bb15cbdecb69250504d0b00bf3a9ac2209e3f60 | VIP Keylogger sample |
| File Hash (SHA256) | 00553aa0e89b79d5ad4a4b03f9b153d27d356c6e62648fa87c2c378af42801cc | VIP Keylogger sample |
| File Hash (SHA256) | d00ad4c93afcc23b9f8e5f56a8ddef81c1f4b3319793cca0789e92ef11ccc9ab | VIP Keylogger sample |
| File Hash (SHA256) | d411bdc621a34138aaee4db3 | VIP Keylogger payload hash fragment |
| URL | hxxps://vault88x[.]secure-efficient2[.]su/MSI_105759[.]png | First steganography download URL (encoded downloader component) |
| URL | hxxps://vault88x[.]secure-efficient2[.]su/img_085027[.]png | Second steganography download URL (encoded final payload) |
| URL | hxxps[:]//reallyfreegeoip[.]org/xml/ | Geolocation lookup URL used by VIP Keylogger for C2 beaconing |
| URL | hxxp[:]//checkip[.]dyndns[.]org/ | IP check URL used for network and location data during C2 beaconing |
| Domain | api.telegram[.]org | Telegram Bot API domain used for C2 communication and data exfiltration |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
