New VIP Keylogger Malware Campaign Targets Credentials via Phishing and Stealthy Execution A recently uncovered malware campaign is deploying VIP Keylogger to steal credentials through sophisticated phishing tactics, hidden payloads, and in-memory execution techniques. The attacks begin with social engineering, luring victims into opening a seemingly legitimate "purchase order" attachment a RAR archive containing a malicious executable. Once executed, the malware loads its final payload directly into memory, avoiding disk-based detection. Researchers identified multiple variants of the campaign, each employing different packaging and execution methods while maintaining the same objective: silent deployment of VIP Keylogger to harvest sensitive data from browsers, email clients, chat applications, and file transfer tools. ### Stealthy Delivery and Evasion Tactics The campaign employs advanced evasion techniques to bypass security measures: - Steganography & Process Hollowing: In one variant, a .NET executable concealed two DLLs in its resource section. One DLL extracted the next stage, which then retrieved the final payload from a hidden PNG image. The malware used process hollowing launching a legitimate process in suspended mode, replacing its memory with malicious code, and resuming execution. - Direct In-Memory Execution: Another variant stored an AES-encrypted payload in its `.data` section. After decryption, it disabled Windows security monitoring (AMSI and ETW) and loaded VIP Keylogger via the Common Language Runtime (CLR), evading defensive checks. The campaign appears linked to a malware-as-a-service (MaaS) model, with some payload features disabled or configurable, suggesting customization for different buyers. ### Broad Credential Theft Capabilities VIP Keylogger targets a wide range of sensitive data, including: - Saved logins, cookies, credit card details, autofill data, download history, and browsing URLs from Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi). - Firefox-based browser credentials via the `PK11SDR_Decrypt` API from `nss3.dll`. - Exfiltration via multiple channels, including FTP, SMTP (port 587), Telegram, Discord, and HTTP POST. ### Indicators of Compromise (IoCs) Researchers shared the following hashes linked to the campaign: - D1DF5D64C430B79F7E0E382521E96A14 (MD5) – Trojan (700000211) - E7C42F2D0FF38F1B9F51DC5D745418F5 (MD5) – Trojan (006d73c21) - EA72845A790DA66A7870DA4DA8924EB3 (MD5) – Trojan (005d5f371) - 694C313B660123F393332C2F0F7072B5 (MD5) – Spyware (004bf6371) The campaign underscores how threat actors combine phishing, steganography, and fileless execution to create scalable, hard-to-detect credential theft operations.