
Forcepoint researchers have uncovered an alarming rise in activity involving a new infostealer malware named VIPKeyLogger. Distributed through phishing campaigns, VIPKeyLogger demonstrates sophisticated techniques to harvest sensitive data from its victims, posing significant risks to individual users and organizations alike.
Described as an evolution of the subscription-based Snake Keylogger (also known as 404 Keylogger), VIPKeyLogger relies on phishing emails that contain malicious attachments in the form of Microsoft 365 or archive files. These attachments harbor executable content, which, when opened, initiates the malware’s attack chain.

“When users click the bait to open the archive file, it drops/downloads the infected file in temporary or startup folder for persistence,” Forcepoint researchers explain. The malware downloads additional files, executes them, and deletes the initial payload to evade detection.
The attack begins with a seemingly benign attachment designed to exploit vulnerabilities such as CVE-2017-11882. The file connects to a remote URL to download a .NET-compiled executable. Upon execution, the malware uses obfuscated code hidden within a steganographic image to carry out its operations.
“The payload exfiltrates various data such as PC names, country names, clipboard data, screenshots, cookies, bowser history and more,” the report states. VIPKeyLogger transmits this stolen information via Telegram to Command and Control (C2) servers hosted on Dynamic DuckDNS.
VIPKeyLogger’s capabilities are extensive, including:
- Keystroke Logging: Records all keystrokes to capture sensitive information like passwords and messages.
- Clipboard Monitoring: Steals copied text data, often containing passwords or sensitive information.
- Screenshot Capture: Takes snapshots of the victim’s screen, potentially exposing confidential documents.
- Browser Data Harvesting: Extracts cookies, browsing history, and session details for further exploitation.
- System Information Collection: Gathers device and geographical information to assist in targeted attacks.
These features make VIPKeyLogger a versatile and dangerous tool in the cybercriminal’s arsenal.
Infostealers like VIPKeyLogger exemplify the growing sophistication of phishing campaigns. The malware’s use of steganography, Telegram for data exfiltration, and DuckDNS for C2 operations highlights the innovative tactics employed by attackers.
“Keyloggers are one of the most common threats in a hacker’s arsenal. They are delivered through phishing campaigns hosting malicious attachments in the form of a lure,” Forcepoint notes.
Related Posts:
- Beware the Windows Search Scam: Clever Phishing Campaign Exploits User Trust
- Remcos RAT: Hackers Target Ukrainian Government with Surveillance Tool
- Fake Windows Updates Are Being Used to Distribute Ransomware: Here’s What You Can Do About It
- Trend Micro’s Insight: Dissecting the Pikabot Malware Threat