VIP Keylogger Spreads via Phishing Emails Disguised as Business Documents, Researchers Warn
Attackers are distributing VIP Keylogger through phishing emails disguised as bank payment notifications and procurement orders, using steganography and multi-stage loaders to evade detection.
Hackers are using deceptive phishing emails dressed up as routine business documents to spread a dangerous malware strain known as VIP Keylogger. The campaign has been active for months, with attackers showing no signs of slowing down. Researchers from the Splunk Threat Research Team (STRT) published a detailed analysis of the malware, noting that VIP Keylogger campaigns have leaned heavily on social engineering tactics over the past several months.
The infection begins with one of three script file types: a Visual Basic Script (.vbs), a JavaScript file (.js), or a batch script (.bat). Each loader is heavily obfuscated using junk code padding, hex encoding, and AES-encrypted PowerShell stagers to slip past security scans. The .vbs loader hides its malicious payload in the middle of the file, sandwiched between large blocks of meaningless code. Once decoded, it passes execution to a PowerShell stager that is written to a hidden environment variable called INTERNAL_DB_CACHE before running.
One of the most creative tricks in VIP Keylogger's playbook is steganography, where malicious code is hidden inside what appear to be ordinary image files. The PowerShell stager downloads two .png files from a remote server, each secretly carrying encoded components of the final payload. Only after those images are decoded does the actual keylogger emerge and get injected into a legitimate Windows process called aspnet_compiler.exe.
Once installed, VIP Keylogger captures every keystroke, takes periodic screenshots of the desktop, steals saved passwords and cookies from dozens of popular browsers, and scans the Windows registry for Outlook credentials. It also monitors clipboard content in real time, silently replacing any copied cryptocurrency wallet addresses with ones controlled by the attacker. The malware contacts multiple command-and-control servers to send stolen data, including through a Telegram bot.
STRT collected and analyzed more than 200 VIP script loader samples captured between March and April 2026, using data sourced from VirusTotal. The research provides a detailed look at one of the more persistent malware families currently targeting Windows users worldwide. The malware also checks the victim's IP address against known sandbox environments to avoid analysis, and deletes itself from disk after execution to cover its tracks.
STRT recommends monitoring registry changes tied to the UserInitMprLogonScript key, flagging PowerShell scripts that combine environment variables with dynamic execution commands, and watching for unusual processes launched from script-based parent processes. Security teams should also watch for DNS queries directed at Telegram's API domain, which can indicate active malware-driven data exfiltration. Keeping systems patched, training staff to recognize phishing emails, and enabling PowerShell script block logging are practical first steps any organization can take to limit exposure to this active and evolving threat.