This threat describes a sophisticated spear phishing campaign that distributes the VIP keylogger malware via email attachments. The attack vector involves sending a ZIP file containing a malicious executable disguised as a PDF document. Upon execution, the malware runs an AutoIt script that drops two encrypted files onto the victim's system. These files are then decrypted and injected into the legitimate Windows process RegSvcs.exe using process hollowing, a technique that replaces the memory of a legitimate process with malicious code to evade detection. The VIP keylogger is designed to capture sensitive information by logging keystrokes, stealing credentials from popular web browsers, and monitoring clipboard activity. To maintain persistence on the infected system, the malware installs a Visual Basic Script (VBS) in the Startup folder, ensuring it runs on system boot. The malware also uses obfuscation techniques to hinder analysis and detection. Finally, the stolen data is exfiltrated via SMTP email and the malware communicates with a command and control (C2) server to receive further instructions or updates. Indicators of compromise include specific file hashes and an IP address associated with the C2 infrastructure. Although no CVE or known exploits in the wild are reported, the campaign's use of process hollowing, persistence mechanisms, and data exfiltration techniques make it a notable threat.

For European organizations, this spear phishing campaign poses a significant risk to confidentiality and data integrity. The keylogger's ability to capture keystrokes and browser credentials can lead to unauthorized access to corporate accounts, including email, VPNs, and internal systems. Clipboard monitoring may expose sensitive data such as passwords or confidential documents copied by users. The persistence mechanism increases the likelihood of prolonged undetected presence, allowing attackers to maintain access and escalate privileges. Exfiltration via SMTP and C2 communication can result in data leakage, potentially violating GDPR and other data protection regulations, leading to legal and financial repercussions. Organizations with employees who frequently handle sensitive information or use Windows-based systems are particularly vulnerable. The campaign's obfuscation and process hollowing techniques complicate detection by traditional antivirus and endpoint detection systems, increasing the risk of successful compromise.

European organizations should implement targeted defenses against this threat beyond generic advice. First, enhance email security by deploying advanced anti-phishing and attachment sandboxing solutions that can detect malicious ZIP files and executables disguised as PDFs. Employ strict attachment filtering policies and user training focused on recognizing spear phishing attempts. Endpoint detection and response (EDR) tools should be configured to monitor for process hollowing behaviors, especially injections into RegSvcs.exe or other legitimate Windows processes. Regularly audit startup folders and scheduled tasks for unauthorized VBS scripts or persistence mechanisms. Implement application whitelisting to prevent execution of unauthorized AutoIt scripts and unknown executables. Network monitoring should include detection of unusual SMTP traffic and connections to suspicious IP addresses such as 51.38.247.67. Multi-factor authentication (MFA) should be enforced to limit the impact of credential theft. Finally, conduct regular threat hunting exercises using the provided file hashes to identify potential infections early and isolate compromised systems promptly.