Obscure VBScript “sostener.vbs” Unmasked: Fuels Multi-Stage RAT Delivery, Linked to Blind Eagle APT

In a deeply revealing investigation, Censys researchers have uncovered a web of malicious infrastructure revolving around a deceptively innocuous file: sostener.vbs. What at first glance appeared to be a few megabytes of obfuscated junk data turned out to be the launching point for a multi-stage remote access trojan (RAT) delivery pipeline affecting dozens of hosts and hundreds of victims.

“Each of these directories contained only two or three Visual Basic Script (VBS) files… their contents consisted primarily of nonsensical junk data: an indicator of heavy obfuscation,” the report explains.

Censys identified 16 open directories containing 17 uniquely obfuscated versions of sostener.vbs, Spanish for “sustain.” These VBScript files act as the Stage 1 loader in a carefully constructed three-stage attack chain:

1. Stage 1 (VBScript Dropper): Dynamically generates and executes a PowerShell script from a Base64-encoded payload.
2. Stage 2 (Stager): Downloads additional components from obscure sources, including the Internet Archive and paste[.]ee, embedding the malware in formats like JPEGs or text.
3. Stage 3 (Injector): Loads a RAT directly into memory — most commonly Remcos, but also LimeRAT, DCRat, and AsyncRAT.

“This specific Stage 2 loader extracts the content between the strings ‘<<BASE64_START>>’ and ‘<<BASE64_END>>’ in the image, then Base64-decodes it,” Censys notes, describing the payload concealment inside seemingly innocent JPEGs.

The investigation reveals a common theme: heavy reuse of infrastructure and toolsets. Each RAT observed communicates via domains registered with duckdns[.]org, a free dynamic DNS provider often abused for illicit C2 operations. Among the malicious domains:

• rem25rem[.]duckdns[.]org — Remcos RAT
• romanovas[.]duckdns[.]org — LimeRAT
• dgflex[.]duckdns[.]org — DCRat
• purelogs2025[.]duckdns[.]org — AsyncRAT

Some servers even reused TLS certificates across multiple IP addresses and ports, strongly suggesting centralized control. In one example, IP address 193.23.3.29 served two separate variants of Remcos under different domain names, both using the same TLS fingerprint.

A critical operational error disclosures one of the Bitbucket repositories hosting a Remcos payload was committed using a non-anonymous identity.

“The threat actor accidentally used their own personal username and email address when committing to the ‘notificacionesramajudicialcolombia2025’ repository,” the report states.

The user, “Shadow GRT,” was quickly linked to a real-world online presence — including gaming streams on YouTube and Twitch. Though the repository was taken down, researchers managed to preserve its contents and log history for attribution and further analysis.

While Censys stops short of direct attribution, the tactics, language, and geographical patterns align with APT-C-36 (Blind Eagle), a Colombian threat actor active since 2018.

“The use of heavily obfuscated VBS droppers… closely aligns with the tactics of a known Colombian threat actor: APT-C-36,” the report suggests, referencing similar findings by Lab52 and MITRE ATT&CK.

Although the campaign lacks definitive nation-state infrastructure, its design suggests either coordination with, or imitation of, advanced persistent threat playbooks.

Related Posts:

• Blind Eagle’s Rapid Adaptation: New Tactics Deployed Days After Patch
• Attackers Exploit Obscure WordPress Plugin to Steal Credit Card Data
• Microsoft announces deprecation of VBScript in Windows
• Evasive Phishing Campaign Delivers AsyncRAT and Infostealer
• Driver Signature Enforcement Cracked: OS Downgrade Attacks Possible on Windows