VIP Keylogger
VIP Keylogger is a .NET-based information stealer and keylogger targeting Windows systems. Reporting in the provided content describes it being distributed primarily through spear-phishing and business-themed impersonation campaigns, including emails posing as purchase orders, quotations, shipment notices, payment notifications, procurement orders, logistics updates, and sales contracts. Observed delivery chains include Email → Archive → Executable, with ZIP archives containing executables disguised as legitimate business documents, as well as heavily obfuscated .vbs, .js, and .bat script loaders. The loaders use junk code padding, hex encoding, AES-encrypted PowerShell stagers, hidden environment variables such as INTERNAL_DB_CACHE, and steganography in PNG files to reconstruct the final payload. One reported PNG filename was img_085027.png.
Once executed, VIP Keylogger has been observed injecting into the legitimate Windows process aspnet_compiler.exe and in some cases running in memory without touching disk. Capabilities directly described in the content include keystroke logging, periodic screenshot capture, theft of saved passwords and cookies from browsers, harvesting of Outlook credentials from the Windows registry, collection of clipboard data, and replacement of copied cryptocurrency wallet addresses with attacker-controlled addresses. The malware exfiltrates stolen data to command-and-control infrastructure, including via Telegram bots, and checks victim IP addresses against known sandbox environments for evasion. It has also been reported to delete itself from disk after execution to reduce forensic visibility.
Campaigns cited in the content targeted organizations across multiple countries including the United Kingdom, Spain, France, the Netherlands, Switzerland, Belgium, Mauritius, India, Brazil, Botswana, Ghana, and Benin. Targeted sectors mentioned include logistics, engineering, manufacturing, energy, government, finance, tourism, healthcare, and consumer goods. The content notes tradecraft overlap with Snake Keylogger but does not establish common authorship. No specific threat actor attribution is provided in the source material.
High-confidence indicators and infrastructure explicitly mentioned in the content include hxxps://vault88x[.]secure-efficient2[.]su/MSI_105759[.]png, hxxps://vault88x[.]secure-efficient2[.]su/img_085027[.]png, reallyfreegeoip[.]org, checkip[.]dyndns[.]org, and api.telegram[.]org. Detection-relevant behaviors described include unusually large values written under Environment registry keys, PowerShell execution of content stored in environment variables, suspicious script-launched execution of .NET utilities such as aspnet_compiler.exe, and DNS activity to api.telegram.org.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Associated Analytic Story VIP Keylogger ... References ... https://malpedia.caad.fkie.fraunhofer.de/details/win.vipkeylogger
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
5 techniques
Execution
Each of these loaders is heavily obfuscated using techniques such as junk code padding, hex encoding, and AES-encrypted PowerShell stagers to slip past security scans.
The initial infection begins with one of three script file types: a Visual Basic Script (.vbs), a JavaScript file (.js), or a batch script (.bat).
The initial infection begins with one of three script file types: a Visual Basic Script (.vbs), a JavaScript file (.js), or a batch script (.bat).
Persistence
1 technique
Persistence
The following analytic detects creation or modification of registry values under a user or system Environment key (paths matching *\Environment*) where the stored value exceeds 2,000 characters. Legitimate environment variables are typically short strings; unusually long values can indicate adversaries or malware staging encoded payloads, bloated malicious PATH entries, or other data in a location that is loaded for every interactive session.
Privilege Escalation
1 technique
Privilege Escalation
Stealth
7 techniques
Stealth
Each of these loaders is heavily obfuscated using techniques such as junk code padding, hex encoding, and AES-encrypted PowerShell stagers to slip past security scans.
One of the most creative tricks in VIP Keylogger’s playbook is steganography, where malicious code is hidden inside what appear to be ordinary image files.
Inside, the archives contained executables disguised as legitimate documents, which deployed VIP Keylogger upon execution.
Only after those images are decoded does the actual keylogger emerge and get injected into a legitimate Windows process called aspnet_compiler.exe.
It also checks the victim’s IP address against known sandbox environments to avoid analysis, and deletes itself from disk after execution to cover its tracks.
Execution of well-known .NET-related utilities when the parent appears to be a script launched from user-writable or non-standard locations is consistent with signed-binary proxy execution tradecraft (MITRE ATT&CK T1218) seen in stealer and loader workflows.
Defense Impairment
1 technique
Defense Impairment
The following analytic detects creation or modification of registry values under a user or system Environment key (paths matching *\Environment*) where the stored value exceeds 2,000 characters. Legitimate environment variables are typically short strings; unusually long values can indicate adversaries or malware staging encoded payloads, bloated malicious PATH entries, or other data in a location that is loaded for every interactive session.
Credential Access
3 techniques
Credential Access
It captures every keystroke, takes periodic screenshots of the desktop, steals saved passwords and cookies from dozens of popular browsers, and scans the Windows registry for Outlook credentials.
Discovery
1 technique
Discovery
Collection
3 techniques
Collection
It captures every keystroke, takes periodic screenshots of the desktop, steals saved passwords and cookies from dozens of popular browsers, and scans the Windows registry for Outlook credentials.
Command and Control
1 technique
Command and Control
IOCs tracked for this family
17 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Information-stealing malware delivered via phishing using multi-stage script loaders (.vbs, .js, .bat), obfuscated PowerShell stagers, and steganography in PNG files. It injects into aspnet_compiler.exe, captures keystrokes, takes screenshots, steals browser passwords and cookies, harvests Outlook credentials from the registry, monitors and hijacks clipboard cryptocurrency wallet addresses, exfiltrates data to multiple C2 servers including via a Telegram bot, performs sandbox/IP checks, and deletes itself from disk after execution.
The content only references VIP Keylogger as an associated analytic story/reference. No direct behavioral description is provided in the content beyond its name implying keylogging functionality.
Referenced as part of a campaign associated with malware loaders and stagers that use PowerShell environment-variable execution to stage and run payloads.
The content links this detection to the VIP Keylogger analytic story, indicating relevance to activity associated with this malware. No direct behavioral description of the malware itself is provided in the content beyond its name and keylogger classification.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.