Researchers from Censys have uncovered a spear-phishing campaign infrastructure that relies on a cluster of 16 publicly accessible open directories hosting heavily obfuscated Visual Basic Script (VBS) files. These directories serve as the storage and distribution points for malicious scripts used in the campaign. The attackers employ advanced obfuscation techniques to conceal the true nature and functionality of the VBS payloads, complicating detection and analysis efforts. The campaign infrastructure lifecycle includes setting up these open directories, uploading obfuscated malicious scripts, and leveraging them in targeted spear-phishing attacks. The tags associated with this campaign indicate the use of multiple Remote Access Trojans (RATs) such as Remcos, LimeRAT, DCrat, and AsyncRAT, which are known for their capabilities in remote control, data exfiltration, and persistence. The campaign also involves techniques mapped to MITRE ATT&CK tactics and techniques like T1113 (Screen Capture), T1571 (Non-Standard Port), T1027.003 (Obfuscated Files or Information - Visual Basic), T1059.005 (Command and Scripting Interpreter - Visual Basic), T1566.001 (Spearphishing Attachment), and T1590 (Gather Victim Network Information). Although no known exploits in the wild have been reported, the infrastructure's public accessibility and use of obfuscated scripts pose a significant risk of enabling targeted attacks. The absence of affected software versions suggests this is an infrastructure and technique-based threat rather than a vulnerability in a specific product. The campaign's reliance on spear-phishing attachments and obfuscated VBS scripts highlights the importance of user awareness and robust email security controls. Overall, this threat represents a sophisticated spear-phishing operation leveraging publicly exposed infrastructure to distribute obfuscated malware payloads capable of remote access and data theft.

For European organizations, this spear-phishing campaign poses a medium-level risk primarily through targeted social engineering attacks that can lead to remote compromise via RATs. Successful exploitation could result in unauthorized access to sensitive data, espionage, intellectual property theft, and potential lateral movement within networks. The use of obfuscated VBS scripts complicates detection by traditional antivirus and endpoint protection solutions, increasing the likelihood of successful infection. Organizations in sectors with high-value data or strategic importance, such as government, finance, critical infrastructure, and technology, are particularly at risk. The public availability of the infrastructure means the campaign can be scaled or adapted rapidly, increasing exposure. Additionally, the use of multiple RAT families suggests attackers may tailor payloads to specific targets or objectives, increasing the sophistication and potential damage. Disruption to operations, reputational damage, and regulatory consequences under GDPR for data breaches are possible impacts for European entities. The medium severity reflects the need for vigilance but also acknowledges that exploitation requires user interaction (opening spear-phishing attachments) and does not exploit zero-day vulnerabilities.

1. Implement advanced email filtering solutions capable of detecting and blocking spear-phishing attachments, especially those containing obfuscated scripts like VBS files. 2. Deploy endpoint detection and response (EDR) tools with behavioral analysis to identify suspicious script execution and RAT activity beyond signature-based detection. 3. Conduct regular user awareness training focused on recognizing spear-phishing attempts and the risks of opening unsolicited attachments, particularly VBS files. 4. Restrict execution of scripts from user directories and network shares using application control policies such as Microsoft AppLocker or Windows Defender Application Control. 5. Monitor network traffic for unusual outbound connections, especially to non-standard ports or known RAT command and control infrastructure. 6. Regularly audit and secure public-facing infrastructure to prevent attackers from leveraging open directories or misconfigured services. 7. Employ threat intelligence feeds to stay updated on emerging indicators related to this campaign and proactively block associated IPs or domains. 8. Enforce the principle of least privilege to limit the impact of potential compromises and segment networks to contain lateral movement. 9. Use multi-factor authentication (MFA) to reduce the risk of credential theft exploitation following initial infection. 10. Establish incident response plans tailored to malware infections involving RATs and spear-phishing to enable rapid containment and remediation.