Operation DualScript: Multi-Stage PowerShell Malware Targets Crypto
Operation DualScript is a sophisticated multi-stage malware campaign targeting cryptocurrency and financial activities. It utilizes Windows Scheduled Tasks, VBScript launchers, and PowerShell execution to maintain persistence while minimizing disk artifacts. The attack operates through two parallel chains: a web-based PowerShell loader deploying a cryptocurrency clipboard hijacker, and a secondary chain executing the RetroRAT implant in memory. RetroRAT monitors user activity, captures keystrokes, and tracks interactions with financial services to harvest sensitive information. The malware employs various anti-analysis techniques and establishes a command-and-control channel for remote access and data exfiltration. This campaign highlights the growing abuse of trusted system utilities and in-memory execution techniques to evade traditional detection mechanisms.
AI Analysis
Technical Summary
Operation DualScript is a sophisticated, multi-stage malware campaign primarily targeting cryptocurrency users and financial services. It leverages Windows Scheduled Tasks (T1053.005) and VBScript launchers to maintain persistence on infected systems while minimizing disk footprint and forensic artifacts. The campaign operates through two parallel infection chains. The first chain uses a web-based PowerShell loader (T1059.001) to deploy a cryptocurrency clipboard hijacker (T1113), which monitors clipboard data to intercept cryptocurrency wallet addresses and transaction details, redirecting funds to attacker-controlled wallets. The second chain executes the RetroRAT implant entirely in memory (T1055, T1059.005), avoiding disk writes to evade detection. RetroRAT acts as a remote access trojan, capturing keystrokes (T1056.001), monitoring user activity (T1057), and tracking interactions with financial services to harvest sensitive credentials and data. The malware establishes a command-and-control (C2) channel (T1041, T1071) for remote control and data exfiltration. It employs various anti-analysis and obfuscation techniques (T1562.001, T1027) to hinder detection and analysis. The campaign abuses trusted system utilities and living-off-the-land binaries, complicating detection efforts. Indicators of compromise include multiple file hashes and domains such as anycourse.net and thewpiratebay.st. While no CVEs or known exploits are currently associated, the campaign's stealth and targeted financial theft capabilities make it a significant threat to cryptocurrency users and financial institutions.
Potential Impact
The impact of Operation DualScript is primarily financial theft through the interception of cryptocurrency transactions and theft of sensitive financial credentials. By hijacking clipboard data, the malware can redirect cryptocurrency payments to attacker-controlled wallets, resulting in direct monetary loss for victims. The RetroRAT implant's keylogging and user activity monitoring capabilities enable attackers to harvest login credentials, two-factor authentication tokens, and other sensitive data, potentially leading to broader account compromise and fraudulent transactions. The use of in-memory execution and living-off-the-land techniques reduces the likelihood of detection by traditional antivirus and endpoint detection systems, allowing prolonged access and data exfiltration. Organizations involved in cryptocurrency trading, financial services, and users of Windows systems are at risk. The campaign could lead to reputational damage, regulatory penalties, and financial losses. Additionally, the stealthy nature of the malware complicates incident response and forensic investigations, increasing remediation costs and operational disruption.
Mitigation Recommendations
1. Implement strict application whitelisting to prevent unauthorized execution of PowerShell scripts and VBScript launchers, especially those initiated via Windows Scheduled Tasks. 2. Monitor and audit Windows Scheduled Tasks for suspicious or unauthorized entries, focusing on tasks that execute PowerShell or VBScript components. 3. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting in-memory execution, living-off-the-land techniques, and anomalous PowerShell activity. 4. Enable PowerShell logging (Module Logging, Script Block Logging, and Transcription) and regularly review logs for suspicious commands or scripts. 5. Use clipboard monitoring tools or endpoint security solutions that can detect and alert on clipboard hijacking attempts. 6. Restrict PowerShell execution policies to limit script execution to signed and trusted scripts only. 7. Educate users about the risks of clipboard hijacking and encourage verification of cryptocurrency wallet addresses before transactions. 8. Block or monitor network traffic to known malicious domains and IP addresses associated with the campaign's C2 infrastructure. 9. Employ multi-factor authentication (MFA) on all financial and cryptocurrency-related accounts to reduce the risk of credential misuse. 10. Conduct regular threat hunting exercises focusing on indicators of compromise such as the provided file hashes and suspicious domains. 11. Keep all systems and security tools updated to ensure the latest detection capabilities against emerging threats.
Affected Countries
United States, Russia, China, South Korea, Japan, Germany, United Kingdom, Canada, Australia, Singapore
Indicators of Compromise
- hash: 163c38bd7ff7dd27e88eaef1a7a4819f
- hash: 173b27e7541427929da72ebf37c6db8e
- hash: 1dc82fd02a0db3e338128b6f587d7122
- hash: 243af69d85550232da45f5a30703a4a3
- hash: 43cac07a501e7a717023e0fa8f6111e0
- hash: 7546ada1e3144371724db209ba4c5f37
- hash: 36c29d4238061ddfdd41735b4590c2239f019679
- hash: 582eeb086e1e50f036a243e1ceb8837803c64ce4aa7208b3946c4b68b35fab10
- domain: anycourse.net
- domain: thewpiratebay.st
- domain: floatsdk.1cooldns.com
- domain: info.1cooldns.com
Operation DualScript: Multi-Stage PowerShell Malware Targets Crypto
Description
Operation DualScript is a sophisticated multi-stage malware campaign targeting cryptocurrency and financial activities. It utilizes Windows Scheduled Tasks, VBScript launchers, and PowerShell execution to maintain persistence while minimizing disk artifacts. The attack operates through two parallel chains: a web-based PowerShell loader deploying a cryptocurrency clipboard hijacker, and a secondary chain executing the RetroRAT implant in memory. RetroRAT monitors user activity, captures keystrokes, and tracks interactions with financial services to harvest sensitive information. The malware employs various anti-analysis techniques and establishes a command-and-control channel for remote access and data exfiltration. This campaign highlights the growing abuse of trusted system utilities and in-memory execution techniques to evade traditional detection mechanisms.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Operation DualScript is a sophisticated, multi-stage malware campaign primarily targeting cryptocurrency users and financial services. It leverages Windows Scheduled Tasks (T1053.005) and VBScript launchers to maintain persistence on infected systems while minimizing disk footprint and forensic artifacts. The campaign operates through two parallel infection chains. The first chain uses a web-based PowerShell loader (T1059.001) to deploy a cryptocurrency clipboard hijacker (T1113), which monitors clipboard data to intercept cryptocurrency wallet addresses and transaction details, redirecting funds to attacker-controlled wallets. The second chain executes the RetroRAT implant entirely in memory (T1055, T1059.005), avoiding disk writes to evade detection. RetroRAT acts as a remote access trojan, capturing keystrokes (T1056.001), monitoring user activity (T1057), and tracking interactions with financial services to harvest sensitive credentials and data. The malware establishes a command-and-control (C2) channel (T1041, T1071) for remote control and data exfiltration. It employs various anti-analysis and obfuscation techniques (T1562.001, T1027) to hinder detection and analysis. The campaign abuses trusted system utilities and living-off-the-land binaries, complicating detection efforts. Indicators of compromise include multiple file hashes and domains such as anycourse.net and thewpiratebay.st. While no CVEs or known exploits are currently associated, the campaign's stealth and targeted financial theft capabilities make it a significant threat to cryptocurrency users and financial institutions.
Potential Impact
The impact of Operation DualScript is primarily financial theft through the interception of cryptocurrency transactions and theft of sensitive financial credentials. By hijacking clipboard data, the malware can redirect cryptocurrency payments to attacker-controlled wallets, resulting in direct monetary loss for victims. The RetroRAT implant's keylogging and user activity monitoring capabilities enable attackers to harvest login credentials, two-factor authentication tokens, and other sensitive data, potentially leading to broader account compromise and fraudulent transactions. The use of in-memory execution and living-off-the-land techniques reduces the likelihood of detection by traditional antivirus and endpoint detection systems, allowing prolonged access and data exfiltration. Organizations involved in cryptocurrency trading, financial services, and users of Windows systems are at risk. The campaign could lead to reputational damage, regulatory penalties, and financial losses. Additionally, the stealthy nature of the malware complicates incident response and forensic investigations, increasing remediation costs and operational disruption.
Mitigation Recommendations
1. Implement strict application whitelisting to prevent unauthorized execution of PowerShell scripts and VBScript launchers, especially those initiated via Windows Scheduled Tasks. 2. Monitor and audit Windows Scheduled Tasks for suspicious or unauthorized entries, focusing on tasks that execute PowerShell or VBScript components. 3. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting in-memory execution, living-off-the-land techniques, and anomalous PowerShell activity. 4. Enable PowerShell logging (Module Logging, Script Block Logging, and Transcription) and regularly review logs for suspicious commands or scripts. 5. Use clipboard monitoring tools or endpoint security solutions that can detect and alert on clipboard hijacking attempts. 6. Restrict PowerShell execution policies to limit script execution to signed and trusted scripts only. 7. Educate users about the risks of clipboard hijacking and encourage verification of cryptocurrency wallet addresses before transactions. 8. Block or monitor network traffic to known malicious domains and IP addresses associated with the campaign's C2 infrastructure. 9. Employ multi-factor authentication (MFA) on all financial and cryptocurrency-related accounts to reduce the risk of credential misuse. 10. Conduct regular threat hunting exercises focusing on indicators of compromise such as the provided file hashes and suspicious domains. 11. Keep all systems and security tools updated to ensure the latest detection capabilities against emerging threats.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.seqrite.com/blog/operation-dualscript-powershell-malware-retrorat-analysis/"]
- Adversary
- null
- Pulse Id
- 69cb7349f3c70800ebef7310
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash163c38bd7ff7dd27e88eaef1a7a4819f | — | |
hash173b27e7541427929da72ebf37c6db8e | — | |
hash1dc82fd02a0db3e338128b6f587d7122 | — | |
hash243af69d85550232da45f5a30703a4a3 | — | |
hash43cac07a501e7a717023e0fa8f6111e0 | — | |
hash7546ada1e3144371724db209ba4c5f37 | — | |
hash36c29d4238061ddfdd41735b4590c2239f019679 | — | |
hash582eeb086e1e50f036a243e1ceb8837803c64ce4aa7208b3946c4b68b35fab10 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainanycourse.net | — | |
domainthewpiratebay.st | — | |
domainfloatsdk.1cooldns.com | — | |
domaininfo.1cooldns.com | — |
Threat ID: 69cc1b98e6bfc5ba1d32c553
Added to database: 3/31/2026, 7:08:08 PM
Last enriched: 3/31/2026, 7:08:25 PM
Last updated: 4/1/2026, 3:53:30 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.