Tracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure
Essential information
- Published
- 24/03/2026 08:49
- Modified
- 27/03/2026 00:06
- Tags
- 2026-03-24 kramer phantomvai remcos rat scorpiorat uac bypass
- Related entities
- 28 observables, 18 techniques (mitre), 5 malware, 9 others
Description
A multi-stage malware delivery campaign was uncovered, initially detected through a suspicious VBS file. The investigation revealed a complex attack infrastructure using Unicode obfuscation, PNG-based payload staging, and reflectively loaded .NET execution. The attacker utilized open directories to host multiple obfuscated VBS files, each mapping to different malware payloads including XWorm and Remcos RAT. A secondary infection vector involving a weaponized 'PDF' and batch script was also discovered. The campaign demonstrated a modular approach, allowing for payload rotation and multiple attack vectors from the same domain. This sophisticated infrastructure design enables rapid modification and expansion of available payloads without altering the initial delivery mechanism.