Operation DualScript: Multi-Stage PowerShell Malware Targets Crypto

March 31, 2026, 7:19 p.m.

Description

Operation DualScript is a sophisticated multi-stage malware campaign targeting cryptocurrency and financial activities. It utilizes Windows Scheduled Tasks, VBScript launchers, and PowerShell execution to maintain persistence while minimizing disk artifacts. The attack operates through two parallel chains: a web-based PowerShell loader deploying a cryptocurrency clipboard hijacker, and a secondary chain executing the RetroRAT implant in memory. RetroRAT monitors user activity, captures keystrokes, and tracks interactions with financial services to harvest sensitive information. The malware employs various anti-analysis techniques and establishes a command-and-control channel for remote access and data exfiltration. This campaign highlights the growing abuse of trusted system utilities and in-memory execution techniques to evade traditional detection mechanisms.

External References

https://www.seqrite.com/blog/operation-dualscript-powershell-malware-retrorat-analysis/
https://otx.alienvault.com/pulse/69cb7349f3c70800ebef7310
Tags
powershell
cryptocurrency
in-memory execution
evasion techniques
multi-stage
clipboard hijacking
financial theft
2026-03-31
retrorat

Date

  • Created: March 31, 2026, 7:10 a.m.
  • Published: March 31, 2026, 7:10 a.m.
  • Modified: March 31, 2026, 7:19 p.m.

Indicators

  • 582eeb086e1e50f036a243e1ceb8837803c64ce4aa7208b3946c4b68b35fab10
Download all indicators here!

Attack Patterns

  • RetroRAT

Additional Informations

  • Finance
  • floatsdk.1cooldns.com
  • info.1cooldns.com
  • thewpiratebay.st
  • anycourse.net
  • United States of America