Tracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure
A sophisticated multi-vector malware campaign was uncovered, initially detected via a suspicious VBS file. The attackers use Unicode obfuscation and PNG-based payload staging to evade detection, delivering multiple malware families including XWorm and Remcos RAT. The campaign leverages open directories hosting obfuscated VBS scripts that map to different payloads, enabling modular and flexible attack delivery. A secondary infection vector involves weaponized PDFs and batch scripts, expanding infection avenues. The infrastructure allows rapid payload rotation without changing the initial delivery method, complicating defense efforts. Techniques include reflective . NET execution, UAC bypass, and various code obfuscation and persistence methods. The campaign’s modularity and multiple vectors increase its adaptability and potential reach. No known exploits in the wild have been reported yet, but the complexity and flexibility pose a medium-level threat. Organizations should focus on detecting obfuscated scripts, monitoring open directories, and blocking suspicious payload staging methods.
AI Analysis
Technical Summary
This multi-stage malware campaign begins with the delivery of obfuscated Visual Basic Script (VBS) files hosted in open directories accessible via the attacker-controlled domain. The VBS files employ Unicode obfuscation to evade signature-based detection and are designed to stage payloads embedded within PNG files, a technique that hides malicious code within seemingly benign image files. The campaign uses reflective loading of .NET assemblies to execute payloads in memory, reducing forensic artifacts and detection opportunities. Multiple malware families are deployed, notably XWorm and Remcos Remote Access Trojans (RATs), which provide attackers with remote control capabilities. A secondary infection vector involves weaponized PDFs combined with batch scripts, enabling additional infection routes. The modular infrastructure allows attackers to rotate and update payloads rapidly without modifying the initial VBS delivery mechanism, enhancing operational security and persistence. The campaign incorporates various advanced techniques such as User Account Control (UAC) bypass, code injection, obfuscation, and persistence mechanisms aligned with MITRE ATT&CK techniques (e.g., T1053.005 for scheduled tasks, T1218.011 for signed binary proxy execution, T1566.002 for spearphishing attachments). Despite the absence of known exploits in the wild, the campaign’s design reflects a high level of sophistication and adaptability, posing a significant challenge to traditional detection and response strategies.
Potential Impact
The campaign’s modular and multi-vector approach increases the likelihood of successful infections across diverse environments. The use of obfuscated scripts and payload staging via PNG files complicates detection by traditional antivirus and endpoint detection systems. Once infected, organizations risk remote access by attackers through RATs like Remcos and XWorm, which can lead to data exfiltration, credential theft, lateral movement, and potential deployment of additional malware or ransomware. The ability to rapidly rotate payloads without changing the initial delivery vector allows attackers to evade signature-based defenses and maintain persistence. This can result in prolonged undetected intrusions, increased operational disruption, and potential compromise of sensitive data. The campaign’s use of UAC bypass and reflective .NET execution further elevates the risk by enabling privilege escalation and stealthy execution. Overall, organizations worldwide face medium to high operational and data security risks if targeted by this campaign.
Mitigation Recommendations
Organizations should implement multi-layered detection strategies focusing on script behavior analysis and anomaly detection rather than relying solely on signature-based methods. Specifically, monitor and restrict execution of VBS scripts and batch files, especially those downloaded from the internet or accessed via open directories. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting reflective .NET execution and unusual payload staging techniques such as PNG-based payloads. Network monitoring should include detection of suspicious HTTP/HTTPS requests to open directories and anomalous file downloads. Enforce strict application whitelisting policies and disable or restrict Windows Script Host (WSH) where not required. Implement robust email filtering to block weaponized PDFs and spearphishing attempts. Regularly audit and restrict permissions on web-facing directories to prevent hosting of malicious files. Employ behavioral analytics to detect UAC bypass attempts and unusual process spawning. Finally, maintain updated threat intelligence feeds and conduct regular user awareness training to reduce the risk of social engineering vectors.
Affected Countries
United States, United Kingdom, Germany, France, Canada, Australia, Japan, South Korea, India, Brazil, Italy, Netherlands
Indicators of Compromise
- hash: 03e939a5a929151fc6fa3cf5df19db37
- hash: 2084e1465c6495a23f922078e96bbd70
- hash: a42f5ad4ce4ef2a52a37cc8a08f614b6
- hash: bde1b4cf5f7432c4e653370de5887eff
- hash: da1ce5fc73a517ab186d73cb62e15350
- hash: ef0b945688626e76c14d7488db5a2356
- hash: f1b91ad94ab2594b823298618ff87716
- hash: fdb03d8dd4c4b1f3a8a5e398125c3a12
- hash: 08e3321955194964bd1e3784691e2d62055f6860
- hash: 0e4dbc00d72f228afe9ee58499f70f3f9bbfcebe
- hash: 0fa5b16ed45922637cdaadca8082e329b8775732
- hash: 1966478c5568ef90ffc1d55ce09192e1a9e774c5
- hash: 1e0ab184a8941ab4d5e3552237061019a06b3cca
- hash: 1e832ae194be28692c669b9a3f5a5255d3022b5b
- hash: 1fb396bbf73735b90e521eb5534c97d5cc049d99
- hash: 274ed28bd083feb5600297a1728a4063d6b415ad
- hash: 2d7114685313f9a6045ccb19c2a4d194398d567b
- hash: 314b42be5ce942dd1c3d0bddb0cc6e0cdcb1acad
- hash: 3aef7e2d1baa433579b644a81fc080c541f3e7d2
- hash: 40634fc36fbe0d2903a9ac319ff7fd22ce4a7ace
- hash: 48f9d6a325afd0daa9cbd6e05a65c0b46fa8f536
- hash: 4e23a77ec70a27941be891433cff5b56d290d8b1
- hash: 51b25f39a4367484c673a2bce38efd95de1cbbd5
- hash: 5f57b08104cd8961a231f514d3ffaad3f873e3d6
- hash: 63a7cc185c023c2e52519df9aa530fb2c35a2d8f
- hash: 69fe62c8af8eefddf48eef454929c4fae7f2f2a6
- hash: 77429c27de47d09ac51bc4c5f44329fe823ad01c
- hash: 810afcebb23642b681d151a81fdcca3fcc43f96a
- hash: 84fdff23b056633b43cc7375d792c4c100a606ec
- hash: 86746d0ad3acfa0e90b7691ccf675dd57af40013
- hash: 905578853c8880da35d97e599cb0168cf3bf74f8
- hash: 961c4c69cfaca6f085a67cd5ee3a4b7b5dc4422f
- hash: 98cdfb464d8a98e07479909dd1db04eec849e94e
- hash: 9b90e2c49b52620531a75d4f23dd48da25670e03
- hash: 9c0e9d1bde0aa69374b4c7301fb53d0e47ab7ade
- hash: a27315ce27675e953aec70a7639e2ea3f77b7159
- hash: a4a3d9ac1df13736a29a615fc86b5f3835aba11d
- hash: a5513a9367daf2dbb780d17f2a9302686c7ad3d5
- hash: a55d61fb7fe814afeab4f4d7f42be4cf60609414
- hash: a97f124854c8ddd7b52a7669a51c22b7a021ee78
- hash: bfc6dbb94f02f7a61145f86e550015f75d5829b6
- hash: c214e2cde87d614daceb2cdcbf4ff88fa24a1d43
- hash: c72921d080ea0273f54b8cf2f7ef1241cca16d71
- hash: c76ca312e44a02a9713062eb90410c3008819727
- hash: c871213fd20404fb5b48a1e4d4b256f3bffbfcd9
- hash: ca00bb814bb7ab92c738dc10362a06b7aaf9247e
- hash: d2888b491eb772daf92575245f352146b9d9d8f2
- hash: d450e39c688b5ad83666ab770c44c6feb2374a76
- hash: de7e91b62651355d43da56ed468dd6e92118192c
- hash: e05701bf93c9032b5714774507c3b026a51f4fea
- hash: e52683b9c41e8de19fd6c213ed0c960ec1b6c5b1
- hash: e8a5dbeb166ca201b24a9d68b6d5cd0f10744491
- hash: eaedebdc23056fa4964a75d35bf20f9dd179a582
- hash: f66364a3566d48e0588237e288003c541ae0fd73
- hash: f8f63c1c20bacc97925a9c86c6e4b887cdd11631
- hash: ff3512c52e34b7fad458d632f347a37f32a671fd
- hash: ffe9a4a3daaa5773e324014d0282d4c6bbbc1da2
- hash: 1a29369cec47d6e6869ac2d9f26816ce39dc0ac5ce3efd3659ebc07ea79cb394
- hash: 52bf386db3b8f83753c6139f3dd4cb0246f653a99a3204924264f559cd697e8c
- hash: 6d85d3af63298e0a5fa48a535f54051ae1972dd7966582c4adea6265103fd343
- hash: 7bba0bcd5c0eb4be1bf21c85c42d08adbba8ed199c723fd76af1260b6a342603
- hash: 8bee97b8b8303cdcba30a30381ac8efc193219c063a63fd82b9eeaa96edab559
- hash: 9389993d790c453c1beeb36a34fcd3f5bc2f7a9229d6e85abcc363624466d251
- hash: b6a55f7559d7a91b2a49a1916794f7b80078bc94f1dd48a360b6a7cc22486d8f
- hash: bfebdbb203eaa3e07a098a2dc89951f52c8d902abe551f7ad54f632b44b13ddb
- url: http://bacteria-spent-endless-grammar.trycloudflare.com/okl
- url: http://css-direct-excel-highlights.trycloudflare.com/1Nov20MA.zip
- url: http://css-direct-excel-highlights.trycloudflare.com/1Nov20ST.zip
- url: http://css-direct-excel-highlights.trycloudflare.com/1Nov20SU.bat
- url: http://news4me.xyz/coupon/
- url: http://news4me.xyz/invoice/
- url: http://news4me.xyz/protector/
- url: http://news4me.xyz/protector/johnremcos.xn--txt-9o0a
- url: http://news4me.xyz/uac.png
- url: http://shirts-june-gratis-repository.trycloudflare.com/1Nov20MA.zip
- url: http://shirts-june-gratis-repository.trycloudflare.com/1Nov20ST.zip
- url: http://shirts-june-gratis-repository.trycloudflare.com/1Nov20SU.txt
- url: http://tammhdka.cloud:5790/PH1NovMA.zip
- url: http://tammhdka.cloud:5790/PH1NovST.zip
- url: http://tammhdka.cloud:5790/PHNovSU.bat
- url: http://tammhdka.pro:5590/1NovMA.zip
- url: http://tammhdka.pro:5590/1NovST.zip
- url: http://tammhdka.pro:5590/1NovSU.txt
- url: https://news4me.xyz/protector/johnremcos.txt
- url: https://news4me.xyz/uac.png
- domain: news4me.xyz
- domain: tammhdka.cloud
- domain: tammhdka.pro
- domain: adapter-chess-gently-residential.trycloudflare.com
- domain: aye-knights-copyrights-nominations.trycloudflare.com
- domain: bacteria-spent-endless-grammar.trycloudflare.com
- domain: css-direct-excel-highlights.trycloudflare.com
- domain: grammar.trycloudflare.com
- domain: shirts-june-gratis-repository.trycloudflare.com
Tracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure
Description
A sophisticated multi-vector malware campaign was uncovered, initially detected via a suspicious VBS file. The attackers use Unicode obfuscation and PNG-based payload staging to evade detection, delivering multiple malware families including XWorm and Remcos RAT. The campaign leverages open directories hosting obfuscated VBS scripts that map to different payloads, enabling modular and flexible attack delivery. A secondary infection vector involves weaponized PDFs and batch scripts, expanding infection avenues. The infrastructure allows rapid payload rotation without changing the initial delivery method, complicating defense efforts. Techniques include reflective . NET execution, UAC bypass, and various code obfuscation and persistence methods. The campaign’s modularity and multiple vectors increase its adaptability and potential reach. No known exploits in the wild have been reported yet, but the complexity and flexibility pose a medium-level threat. Organizations should focus on detecting obfuscated scripts, monitoring open directories, and blocking suspicious payload staging methods.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This multi-stage malware campaign begins with the delivery of obfuscated Visual Basic Script (VBS) files hosted in open directories accessible via the attacker-controlled domain. The VBS files employ Unicode obfuscation to evade signature-based detection and are designed to stage payloads embedded within PNG files, a technique that hides malicious code within seemingly benign image files. The campaign uses reflective loading of .NET assemblies to execute payloads in memory, reducing forensic artifacts and detection opportunities. Multiple malware families are deployed, notably XWorm and Remcos Remote Access Trojans (RATs), which provide attackers with remote control capabilities. A secondary infection vector involves weaponized PDFs combined with batch scripts, enabling additional infection routes. The modular infrastructure allows attackers to rotate and update payloads rapidly without modifying the initial VBS delivery mechanism, enhancing operational security and persistence. The campaign incorporates various advanced techniques such as User Account Control (UAC) bypass, code injection, obfuscation, and persistence mechanisms aligned with MITRE ATT&CK techniques (e.g., T1053.005 for scheduled tasks, T1218.011 for signed binary proxy execution, T1566.002 for spearphishing attachments). Despite the absence of known exploits in the wild, the campaign’s design reflects a high level of sophistication and adaptability, posing a significant challenge to traditional detection and response strategies.
Potential Impact
The campaign’s modular and multi-vector approach increases the likelihood of successful infections across diverse environments. The use of obfuscated scripts and payload staging via PNG files complicates detection by traditional antivirus and endpoint detection systems. Once infected, organizations risk remote access by attackers through RATs like Remcos and XWorm, which can lead to data exfiltration, credential theft, lateral movement, and potential deployment of additional malware or ransomware. The ability to rapidly rotate payloads without changing the initial delivery vector allows attackers to evade signature-based defenses and maintain persistence. This can result in prolonged undetected intrusions, increased operational disruption, and potential compromise of sensitive data. The campaign’s use of UAC bypass and reflective .NET execution further elevates the risk by enabling privilege escalation and stealthy execution. Overall, organizations worldwide face medium to high operational and data security risks if targeted by this campaign.
Mitigation Recommendations
Organizations should implement multi-layered detection strategies focusing on script behavior analysis and anomaly detection rather than relying solely on signature-based methods. Specifically, monitor and restrict execution of VBS scripts and batch files, especially those downloaded from the internet or accessed via open directories. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting reflective .NET execution and unusual payload staging techniques such as PNG-based payloads. Network monitoring should include detection of suspicious HTTP/HTTPS requests to open directories and anomalous file downloads. Enforce strict application whitelisting policies and disable or restrict Windows Script Host (WSH) where not required. Implement robust email filtering to block weaponized PDFs and spearphishing attempts. Regularly audit and restrict permissions on web-facing directories to prevent hosting of malicious files. Employ behavioral analytics to detect UAC bypass attempts and unusual process spawning. Finally, maintain updated threat intelligence feeds and conduct regular user awareness training to reduce the risk of social engineering vectors.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.levelblue.com/blogs/spiderlabs-blog/tracing-a-multi-vector-malware-campaign-from-vbs-to-open-infrastructure"]
- Adversary
- null
- Pulse Id
- 69c2502fe450207e3f4855c3
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash03e939a5a929151fc6fa3cf5df19db37 | — | |
hash2084e1465c6495a23f922078e96bbd70 | — | |
hasha42f5ad4ce4ef2a52a37cc8a08f614b6 | — | |
hashbde1b4cf5f7432c4e653370de5887eff | — | |
hashda1ce5fc73a517ab186d73cb62e15350 | — | |
hashef0b945688626e76c14d7488db5a2356 | — | |
hashf1b91ad94ab2594b823298618ff87716 | — | |
hashfdb03d8dd4c4b1f3a8a5e398125c3a12 | — | |
hash08e3321955194964bd1e3784691e2d62055f6860 | — | |
hash0e4dbc00d72f228afe9ee58499f70f3f9bbfcebe | — | |
hash0fa5b16ed45922637cdaadca8082e329b8775732 | — | |
hash1966478c5568ef90ffc1d55ce09192e1a9e774c5 | — | |
hash1e0ab184a8941ab4d5e3552237061019a06b3cca | — | |
hash1e832ae194be28692c669b9a3f5a5255d3022b5b | — | |
hash1fb396bbf73735b90e521eb5534c97d5cc049d99 | — | |
hash274ed28bd083feb5600297a1728a4063d6b415ad | — | |
hash2d7114685313f9a6045ccb19c2a4d194398d567b | — | |
hash314b42be5ce942dd1c3d0bddb0cc6e0cdcb1acad | — | |
hash3aef7e2d1baa433579b644a81fc080c541f3e7d2 | — | |
hash40634fc36fbe0d2903a9ac319ff7fd22ce4a7ace | — | |
hash48f9d6a325afd0daa9cbd6e05a65c0b46fa8f536 | — | |
hash4e23a77ec70a27941be891433cff5b56d290d8b1 | — | |
hash51b25f39a4367484c673a2bce38efd95de1cbbd5 | — | |
hash5f57b08104cd8961a231f514d3ffaad3f873e3d6 | — | |
hash63a7cc185c023c2e52519df9aa530fb2c35a2d8f | — | |
hash69fe62c8af8eefddf48eef454929c4fae7f2f2a6 | — | |
hash77429c27de47d09ac51bc4c5f44329fe823ad01c | — | |
hash810afcebb23642b681d151a81fdcca3fcc43f96a | — | |
hash84fdff23b056633b43cc7375d792c4c100a606ec | — | |
hash86746d0ad3acfa0e90b7691ccf675dd57af40013 | — | |
hash905578853c8880da35d97e599cb0168cf3bf74f8 | — | |
hash961c4c69cfaca6f085a67cd5ee3a4b7b5dc4422f | — | |
hash98cdfb464d8a98e07479909dd1db04eec849e94e | — | |
hash9b90e2c49b52620531a75d4f23dd48da25670e03 | — | |
hash9c0e9d1bde0aa69374b4c7301fb53d0e47ab7ade | — | |
hasha27315ce27675e953aec70a7639e2ea3f77b7159 | — | |
hasha4a3d9ac1df13736a29a615fc86b5f3835aba11d | — | |
hasha5513a9367daf2dbb780d17f2a9302686c7ad3d5 | — | |
hasha55d61fb7fe814afeab4f4d7f42be4cf60609414 | — | |
hasha97f124854c8ddd7b52a7669a51c22b7a021ee78 | — | |
hashbfc6dbb94f02f7a61145f86e550015f75d5829b6 | — | |
hashc214e2cde87d614daceb2cdcbf4ff88fa24a1d43 | — | |
hashc72921d080ea0273f54b8cf2f7ef1241cca16d71 | — | |
hashc76ca312e44a02a9713062eb90410c3008819727 | — | |
hashc871213fd20404fb5b48a1e4d4b256f3bffbfcd9 | — | |
hashca00bb814bb7ab92c738dc10362a06b7aaf9247e | — | |
hashd2888b491eb772daf92575245f352146b9d9d8f2 | — | |
hashd450e39c688b5ad83666ab770c44c6feb2374a76 | — | |
hashde7e91b62651355d43da56ed468dd6e92118192c | — | |
hashe05701bf93c9032b5714774507c3b026a51f4fea | — | |
hashe52683b9c41e8de19fd6c213ed0c960ec1b6c5b1 | — | |
hashe8a5dbeb166ca201b24a9d68b6d5cd0f10744491 | — | |
hasheaedebdc23056fa4964a75d35bf20f9dd179a582 | — | |
hashf66364a3566d48e0588237e288003c541ae0fd73 | — | |
hashf8f63c1c20bacc97925a9c86c6e4b887cdd11631 | — | |
hashff3512c52e34b7fad458d632f347a37f32a671fd | — | |
hashffe9a4a3daaa5773e324014d0282d4c6bbbc1da2 | — | |
hash1a29369cec47d6e6869ac2d9f26816ce39dc0ac5ce3efd3659ebc07ea79cb394 | — | |
hash52bf386db3b8f83753c6139f3dd4cb0246f653a99a3204924264f559cd697e8c | — | |
hash6d85d3af63298e0a5fa48a535f54051ae1972dd7966582c4adea6265103fd343 | — | |
hash7bba0bcd5c0eb4be1bf21c85c42d08adbba8ed199c723fd76af1260b6a342603 | — | |
hash8bee97b8b8303cdcba30a30381ac8efc193219c063a63fd82b9eeaa96edab559 | — | |
hash9389993d790c453c1beeb36a34fcd3f5bc2f7a9229d6e85abcc363624466d251 | — | |
hashb6a55f7559d7a91b2a49a1916794f7b80078bc94f1dd48a360b6a7cc22486d8f | — | |
hashbfebdbb203eaa3e07a098a2dc89951f52c8d902abe551f7ad54f632b44b13ddb | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://bacteria-spent-endless-grammar.trycloudflare.com/okl | — | |
urlhttp://css-direct-excel-highlights.trycloudflare.com/1Nov20MA.zip | — | |
urlhttp://css-direct-excel-highlights.trycloudflare.com/1Nov20ST.zip | — | |
urlhttp://css-direct-excel-highlights.trycloudflare.com/1Nov20SU.bat | — | |
urlhttp://news4me.xyz/coupon/ | — | |
urlhttp://news4me.xyz/invoice/ | — | |
urlhttp://news4me.xyz/protector/ | — | |
urlhttp://news4me.xyz/protector/johnremcos.xn--txt-9o0a | — | |
urlhttp://news4me.xyz/uac.png | — | |
urlhttp://shirts-june-gratis-repository.trycloudflare.com/1Nov20MA.zip | — | |
urlhttp://shirts-june-gratis-repository.trycloudflare.com/1Nov20ST.zip | — | |
urlhttp://shirts-june-gratis-repository.trycloudflare.com/1Nov20SU.txt | — | |
urlhttp://tammhdka.cloud:5790/PH1NovMA.zip | — | |
urlhttp://tammhdka.cloud:5790/PH1NovST.zip | — | |
urlhttp://tammhdka.cloud:5790/PHNovSU.bat | — | |
urlhttp://tammhdka.pro:5590/1NovMA.zip | — | |
urlhttp://tammhdka.pro:5590/1NovST.zip | — | |
urlhttp://tammhdka.pro:5590/1NovSU.txt | — | |
urlhttps://news4me.xyz/protector/johnremcos.txt | — | |
urlhttps://news4me.xyz/uac.png | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainnews4me.xyz | — | |
domaintammhdka.cloud | — | |
domaintammhdka.pro | — | |
domainadapter-chess-gently-residential.trycloudflare.com | — | |
domainaye-knights-copyrights-nominations.trycloudflare.com | — | |
domainbacteria-spent-endless-grammar.trycloudflare.com | — | |
domaincss-direct-excel-highlights.trycloudflare.com | — | |
domaingrammar.trycloudflare.com | — | |
domainshirts-june-gratis-repository.trycloudflare.com | — |
Threat ID: 69c27606f4197a8e3b2a0df1
Added to database: 3/24/2026, 11:31:18 AM
Last enriched: 3/24/2026, 11:46:02 AM
Last updated: 3/24/2026, 1:22:48 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.