Operation DualScript Bypasses Defenses to Hijack Crypto and Cash

A sophisticated, multi-stage malware campaign dubbed Operation DualScript is currently bypassing traditional defenses to siphon funds from cryptocurrency enthusiasts and banking customers. By abusing legitimate Windows components, this campaign effectively “lives off the land” to maintain a near-invisible footprint on infected systems.

What makes Operation DualScript unique is its parallel execution strategy. Once a system is compromised, the malware establishes persistence through Windows Scheduled Tasks. These tasks trigger two distinct malicious chains:

• Chain 1 (The Clipboard Hijacker): A web-based PowerShell loader retrieves a script that monitors the system clipboard. If it detects a cryptocurrency wallet address being copied, it silently swaps it with one of the attacker’s addresses.
• Chain 2 (The RetroRAT Implant): A secondary loader deploys RetroRAT, a Remote Access Trojan designed for deep system monitoring and remote command execution.

The attackers have gone to great lengths to avoid detection by security software. Instead of saving malicious files to the hard drive, the malware executes its payloads directly in the computer’s memory.

As noted in the analysis:

“By abusing legitimate Windows components and executing payloads directly in memory, the attackers minimize disk artifacts and evade traditional detection mechanisms.”

The malware also performs environment checks to see if it is being analyzed by security researchers. It maintains a hard-coded list of common sandbox usernames like “John Doe” or “virus” and checks for Virtual Machine drivers such as VBoxGuest.sys. If it realizes it is being watched, it simply exits.

Operation DualScript isn’t just looking for random data; it is laser-focused on the U.S. financial ecosystem. The RetroRAT implant uses a global keyboard hook to capture keystrokes and specifically monitors window titles for keywords related to major institutions.The malware targets a wide array of services, including:

• Cryptocurrency: Coinbase, Blockchain, MetaMask, and Binance.
• Banking & Payments: Bank of America, Wells Fargo, Chase, PayPal, and Venmo.

Beyond theft, the campaign provides attackers with total control. The command-and-control (C2) infrastructure allows them to browse files, manage processes, and even shut down the infected system remotely. Because the primary payloads are hosted externally, the attackers can update their tactics in real-time.

As the analysis concludes: “This campaign highlights the growing abuse of trusted system utilities and in-memory execution techniques to evade traditional detection mechanisms.”