Deep Dive: Analyzing the VIP Keylogger Infection Chain and Evasion Tactics
Threat actors are currently executing sophisticated phishing campaigns to deploy the VIP Keylogger, a highly evasive infostealer. By leveraging multi-layered loaders, steganography, and in-memory execution, these attackers aim to bypass traditional endpoint security to exfiltrate sensitive credentials and enterprise data.
Recent observations indicate that these campaigns rely heavily on advanced social engineering. Phishing emails are meticulously crafted to mimic legitimate business communications, such as bank payment notifications, procurement orders, and logistics updates. The malicious payload is typically delivered via script-based loaders or archives disguised as routine invoices or internal approval documents.
During a technical analysis of over 200 VIP script loader samples collected between March and April 2026, researchers noted consistent naming patterns designed to mimic financial workflows. These conventions, often identified via VirusTotal, allow the malware to blend into standard business traffic, effectively evading detection by both end-users and automated email security gateways.
According to a report by the Splunk Threat Research Team (STRT), the infection chain is driven by three primary obfuscated script families: VBScript (.vbs), JavaScript (.js), and Batch files (.bat).

Technical Breakdown of Loader Mechanisms
Each loader variant employs specific obfuscation techniques to defeat static analysis:
- VBScript Variant: This variant utilizes “junk code” padding at the file’s boundaries to obscure the core logic. The actual payload is hidden in the center, consisting of a long hex-encoded string that decodes into a PowerShell stager upon execution. This stager writes its script into a user environment variable (e.g.,
INTERNAL_DB_CACHE) to execute it, subsequently deleting the variable to minimize filesystem artifacts. While transient, this leaves a detectable footprint in theHKCU\Environmentregistry hive. - JavaScript Variant: These loaders use deep obfuscation to spawn a PowerShell process, which handles the subsequent decryption and in-memory loading of the final payload.
Steganography and In-Memory Execution
A standout evasion tactic used by this campaign is the implementation of steganography. Instead of downloading suspicious executables, the PowerShell stager retrieves PNG images from attacker-controlled infrastructure. These images act as containers for the malicious code.

The decoding routine follows a specific logic: it identifies markers within the PNG data, replaces characters used to disguise Base64 patterns, reverses the string, and performs a Base64 decode to reconstruct the executable content directly in memory. This “fileless” approach significantly complicates detection for signature-based antivirus solutions.
Once the payload is reconstructed, the malware utilizes reflective loading to inject itself into legitimate .NET utilities, specifically targeting aspnet_compiler.exe via an Invoke-AssemblyExecution function. By running within a trusted Microsoft process, the stealer bypasses simple allow-lists that trust signed binaries.

Persistence and Data Exfiltration
To maintain a foothold, some variants hide a PowerShell stager within a batch file and write the decoded script to %AppData%\Microsoft\Windows\Libraries. Persistence is then secured by modifying the UserInitMprLogonScript registry key, ensuring execution at every user logon.
As a comprehensive infostealer, the VIP Keylogger harvests:
- Keystrokes and clipboard content.
- Browser credentials, cookies, and autofill data (targeting Chromium and Firefox).
- Discord session tokens and local storage.
- Wi-Fi profiles and system screenshots.
To evade sandboxes, the malware performs environmental checks, including IP reputation lookups and hostname comparisons. If it detects a controlled analysis environment, it may self-delete or alter its behavior. Finally, data is exfiltrated via standard web protocols to C2 servers and Telegram bots.
Defensive Recommendations and Hunting Telemetry
Defenders should align their detection strategies with the MITRE ATT&CK framework. High-value telemetry for hunting this activity includes:
- Monitoring
HKCU\Environmentfor anomalously long registry values. - Auditing
UserInitMprLogonScriptfor unauthorized entries. - Detecting .NET utilities (like
aspnet_compiler.exe) being spawned from unusual or user-writable directories. - Analyzing PowerShell ScriptBlock logs for environment variable manipulation combined with dynamic code execution.
Indicators of Compromise (IOCs)
| SHA256 | Description |
|---|---|
| 95e6c6c13f65217f41c371abf6d03594b2bfed2259a1813bb4222fb2d3c32745 | MSI_105759.png (Steganography) |
| 07ee41817b9f338719bea03676ab607349cc3accba0dddb800f6276a01cfdd9f | img_085027.png (Steganography) |
| 2df582bb41d1e6f0a6d44e8dbc1d8bca8e3d332bb268685b9dfc381a566c63a68d1f59c65ebe64d0e817ffe7ecbf1d5a4bc3768d896c934b00dfd57263c3fe15 8d5de337baa0b0938e4283324d3b1e8ccbdeed694aab3b6118910476200c621b |
.vbs script loader |
| 14b25dfcc6e7f69992b3f5543bcc9ebe86bd0b682e211f49cb62c019d8e9bc4d 28613bfb4e866186133235a88e318df3059b01001f297ad6a524eab0885305a5 d2ab8dcab70822c839912cb672e93de459e5608bea210c78a1be56b54cbd8f81 |
.bat script loader |
| 9bca7a3ac404807c63670141a3459eac24450e0cffbe1066cd3c8b503a917170 9905c76ccf4ebdd12e1df63047a3206026073781d885165e82d298656b5f4937 927c6d68f6413e437e4a919b2007f6a2ade32be71f80467856ce19a0325b63eb ae6918bfe8774e1ec1ec34f3db26e7e548dd0dc33a4e6fa80970e0bd2ba7ad9d a2862e4d2c722c7bfc86aa6c2c589455659b7a4ce6bb15ae55706df40e0f1f4e |
.js loader |
| cbdecb69250504d0b00bf3a9ac2209e3f6000553aa0e8980489b8d88106af6b7 b79d5ad4a4b03f9b153d27d356c6e62648fa87c2c378af407b894ed66119b921 |
VIP Keylogger |
| 2801ccd00ad4c93afcc23b9f8e5f56a8ddef81c1f4b331978d9b288a69f8ce4d | Powershell Stager |
| 93cca0789e92ef11ccc9abd411bdc621a34138aaee4db3241f5266bccc7eac78 | Powershell in Environment Variable |