216.73.217.80

Spear Phishing Campaign Delivers VIP Keylogger via Email Attachment

· Published 30/07/2025 15:08 · Modified 30/07/2025 15:20

Export JSON

Essential information

Published
30/07/2025 15:08
Modified
30/07/2025 15:20
Tags
2025-07-30 autoit data theft exfiltration obfuscation persistence process-hollowing spear-phishing vip keylogger
Related entities
1 observables, 1 malware

Description

A sophisticated spear phishing campaign has been identified, distributing the through email attachments. The malware is delivered via a ZIP file containing a malicious executable disguised as a PDF. Once executed, an script drops two encrypted files, which are then decrypted and injected into RegSvcs.exe using process hollowing techniques. The is designed to steal sensitive information by logging keystrokes, capturing credentials from popular web browsers, and monitoring clipboard activity. The campaign employs techniques and maintains through a VBS script in the Startup folder. The final payload exfiltrates data through SMTP and communicates with a command and control server.

External references