Ddos 
Security researchers at LevelBlue SpiderLabs have recently dismantled a sophisticated, multi-stage malware delivery campaign that proves even a single “isolated” detection can be the tip of a massive iceberg. What began as a routine block of a suspicious Visual Basic Script (VBS) file has unraveled into a complex web of fileless loaders, Unicode obfuscation, and open-directory attacker architecture.
The investigation reveals that this is not just a one-off attack, but a “broader, reusable malware framework designed to support multiple payloads and delivery mechanisms”.
The core of this operation revolves around a reflectively loaded .NET execution method known as the VAI loader (or PhantomVAI). To stay under the radar, the attackers utilized heavy Unicode-based obfuscation within VBS files to “conceal its true functionality and evade static inspection”.
The execution chain is a masterclass in modularity:
- The Launcher: An obfuscated VBS file acts as the initial trigger.
- The Delivery: A fileless PowerShell command retrieves secondary payloads while enforcing TLS 1.2 for secure communication.
- The Payload: In a clever twist, the script fetches a seemingly harmless PNG file (MSI_PRO_with_b64.png).
Rather than a real image, the PNG contains a Base64-encoded .NET assembly hidden between custom markers. This allows the malicious code to be loaded directly into memory, effectively “bypassing many traditional file-based detection mechanisms”.
LevelBlue’s Cyber Threat Intelligence team discovered that the campaign was backed by an “open-directory attacker architecture” hosted on a single controlled domain. These directories—named /coupon/, /protector/, and /invoice/—served as a structured staging ground for a variety of malware.
| Directory | Role in Infection Workflow |
/coupon/ |
Hosted numerous heavily obfuscated VBS delivery scripts. |
/protector/ |
Stored the final “text file” payloads, including XWorm, Remcos RAT, and RedLine Clipper. |
/invoice/ |
Ran a separate attack chain involving a weaponized “PDF” (actually an Internet Shortcut file) and malicious batch scripts. |
This setup allowed the threat actors to reduce operational overhead by using “shared hosting and tooling” to support “multiple infection vectors” simultaneously.
The campaign didn’t stop at VBS and PowerShell. Researchers also identified the deployment of Python-based trojans from the Kramer malware family. These scripts were often staged in a deceptively named /Contacts/MainRingtones directory and were used for post-compromise activities like memory injection and shellcode execution.
To further evade detection, the infrastructure leveraged Cloudflare domains (e.g., trycloudflare.com) to host additional ZIP and BAT-based payloads.
The LevelBlue investigation serves as a stark reminder that modern threats are increasingly multi-language and fileless. As the report concludes:
“The use of fileless loaders, obfuscated scripts, and payloads embedded within non-executable file formats significantly increases the likelihood of evasion against traditional signature-based defenses”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
