Spear Phishing Campaign Delivers VIP Keylogger via Email Attachment

July 30, 2025, 3:20 p.m.

Description

A sophisticated spear phishing campaign has been identified, distributing the VIP keylogger through email attachments. The malware is delivered via a ZIP file containing a malicious executable disguised as a PDF. Once executed, an AutoIt script drops two encrypted files, which are then decrypted and injected into RegSvcs.exe using process hollowing techniques. The VIP keylogger is designed to steal sensitive information by logging keystrokes, capturing credentials from popular web browsers, and monitoring clipboard activity. The campaign employs obfuscation techniques and maintains persistence through a VBS script in the Startup folder. The final payload exfiltrates data through SMTP and communicates with a command and control server.

External References

https://www.seqrite.com/blog/spear-phishing-campaign-delivers-vip-keylogger-via-email-attachment/
https://otx.alienvault.com/pulse/688a355ead4c75a9701f25fd
Tags
obfuscation
data theft
exfiltration
persistence
autoit
process hollowing
spear phishing
2025-07-30
vip keylogger

Date

  • Created: July 30, 2025, 3:08 p.m.
  • Published: July 30, 2025, 3:08 p.m.
  • Modified: July 30, 2025, 3:20 p.m.

Indicators

  • 51.38.247.67
Download all indicators here!

Attack Patterns

  • VIP Keylogger