A sophisticated credential-stealing campaign built around a tool called VIP Keylogger has emerged as a serious threat to organizations and individuals.
Unlike conventional malware that drops files onto a victim’s hard drive, this keylogger runs entirely in memory, making it far harder for traditional security tools to detect.
The campaign was first spotted through suspicious email activity on VirusTotal, where a deceptive message pushed recipients to open what appeared to be a standard purchase order.
That attachment was actually a RAR file containing a malicious executable named ÜRÜN ÇİZİMİ VE TEKNİK ÖZELLİKLERİ_xlsx.exe, which silently extracted and ran VIP Keylogger directly in memory without touching the disk.
.webp)
What makes this campaign more alarming is its scale. Multiple instances were found targeting victims across different countries, with attackers adjusting only the packaging style and making minor changes to the execution flow.
The core payload, however, stayed consistent throughout. This flexibility points to a well-organized operation capable of scaling quickly while keeping the same primary objective — stealing credentials in bulk.
K7 Security Labs analysts identified this campaign while investigating activity on VirusTotal and noted that the final payload appears to be delivered either in an early development phase or as a configurable Malware-as-a-Service product.
Key capabilities such as AntiVM, ProcessKiller, and DownloaderFile were found to be disabled or set to NULL during analysis, suggesting clients receive only the features they pay for. This modular design makes the tool accessible to threat actors with limited technical skill.
.webp)
Once active, VIP Keylogger harvests sensitive data from an infected machine. It targets dozens of Chromium-based browsers including Chrome, Brave, Edge, and Opera, as well as Firefox-based browsers like Firefox, Thunderbird, and Waterfox, pulling cookies, login credentials, credit card information, and browsing histories.
Email clients such as Outlook, Foxmail, ThunderBird, and Postbox are also compromised, with POP3, IMAP, SMTP, and HTTP passwords taken.
Platforms like Discord, FileZilla, and Pidgin lose account tokens and server details as well. All stolen data leaves through one of five channels — FTP, SMTP, Telegram, HTTP POST, or Discord — with the analyzed sample using SMTP to relay information through a dedicated server on port 587.
How VIP Keylogger Executes Without Leaving a Trace
The infection follows two separate paths, both designed to slip past security tools undetected. In the first method, the malicious file is a .NET PE executable that hides two DLLs inside its resource section using steganography — a technique that conceals code inside seemingly harmless files.
The first DLL, Turboboost.dll, extracts the second, Vertical bars.dll, which holds the final VIP Keylogger payload hidden inside a PNG image, also via steganography.
That payload is retrieved from the image and deployed through process hollowing, where the host process launches in a suspended state and its memory is replaced with the malicious code before execution begins.
.webp)
In the second method, a standard PE file stores AES-encrypted bytes inside its .data section. After decrypting them in memory, the malware patches AMSI — a Windows interface that scans for suspicious scripts — and ETW, a logging system relied on by security products.
With both defenses disabled, VIP Keylogger loads cleanly through the Common Language Runtime. Both paths share one goal: execute the payload without touching the disk and leave almost no trace behind.
Organizations should avoid opening email attachments from unknown senders, especially compressed files like RAR or ZIP archives. Security teams should deploy endpoint solutions capable of identifying in-memory threats and process hollowing behavior.
Keeping browsers and applications updated is strongly advised to reduce the attack surface that VIP Keylogger actively exploits.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
