Spear Phishing Campaign Delivers VIP Keylogger via Email Attachment
Essential information
- Published
- 30/07/2025 15:08
- Modified
- 30/07/2025 15:20
- Tags
- 2025-07-30 autoit data theft exfiltration obfuscation persistence process-hollowing spear-phishing vip keylogger
- Related entities
- 1 observables, 1 malware
Description
A sophisticated spear phishing campaign has been identified, distributing the VIP keylogger through email attachments. The malware is delivered via a ZIP file containing a malicious executable disguised as a PDF. Once executed, an AutoIt script drops two encrypted files, which are then decrypted and injected into RegSvcs.exe using process hollowing techniques. The VIP keylogger is designed to steal sensitive information by logging keystrokes, capturing credentials from popular web browsers, and monitoring clipboard activity. The campaign employs obfuscation techniques and maintains persistence through a VBS script in the Startup folder. The final payload exfiltrates data through SMTP and communicates with a command and control server.