VIPKeylogger is a password-stealing/keylogging malware family repeatedly observed in malspam campaigns, especially campaigns targeting Italy with business-themed lures such as orders, offers, requests, quotes, documents, invoices, payments, shipments, reservations, purchases, bank transfers, and receipts. Across the provided reporting, it is consistently grouped with credential theft and remote-access malware families and is distributed through phishing attachments including script files, WIN32 executables, MSIL binaries, Office documents, NSIS-wrapped executables, VBScript, JavaScript, batch files, and PowerShell-based loaders.
The content directly states that VIPKeylogger is a direct variant or rebrand of SnakeKeylogger, also known as 404 Keylogger. In the analyzed DHL-themed campaign, infection used a three-stage chain: an obfuscated VBScript dropper launched hidden PowerShell via WMI, downloaded a steganographic JPEG from Cloudinary containing appended Base64-encoded .NET payload data, reflectively loaded the decoded .NET assembly in memory, and then performed process hollowing into Caspol.exe. That payload was Babel-obfuscated, included anti-analysis checks for tools and APIs including dnSpy, vsdbg, de4dot, CheckRemoteDebuggerPresent, IsDebuggerPresent, and NtQueryInformationProcess, established persistence via a startup VBS item and a scheduled task, and performed victim reconnaissance using checkip.dyndns.org and reallyfreegeoip.org.
Exfiltration behavior in the supplied content shows VIPKeylogger using multiple channels. One report states dual-channel exfiltration via SMTP and Telegram simultaneously. In the DHL-themed SnakeKeylogger/VIPKeylogger case, SMTP exfiltration used mail.miniorangeman.com:587 with account result@miniorangeman.com, and Telegram was used for real-time victim notifications via an encrypted bot token. Another campaign delivered by GuLoader used NSIS installer wrappers with encrypted shellcode to deliver VIPKeylogger and exfiltrated via the Telegram Bot API; the broader campaign also used FTP infrastructure. The GuLoader-linked reporting states the malware stole browser passwords, email credentials, FTP client credentials, WinSCP secrets, and Outlook profile data. A Vietnam-focused phishing case used tax-authority impersonation, a malicious archive containing obfuscated JavaScript, a batch file and PowerShell loader chain, and ultimately a final dumped payload identified as VipKeyLogger that sent collected victim information to an attacker-controlled address.
Infrastructure and indicators explicitly mentioned in the content include C2 server 144.172.105.88; SMTP server mail.miniorangeman.com resolving to 185.196.9.150; Cloudinary staging URL res.cloudinary.com/dzptvoj1b/image/upload/v1773339102/MSI_PRO_with_b64_wavpuj.jpg; Telegram bot token 8729572560:AAH7-pGiLevApfXHCGKQfSyCpF9fVTqxN9Q and chat ID 8277275661 in one GuLoader-linked sample; FTP domains holzbrenzii[.]com and corwineagles[.]com; and hashes including decoded .NET payload SHA256 240068f98bd3e3213351ebdac3a0e9657f9a17506e43425ea3ed19f14e17cf21, Cloudinary carrier SHA256 b23f06a5bf75ae2335bac792574cb3bc5fdc11755f5f4a75617eb99fd3a56104, and final dumped VipKeyLogger payload SHA256 ef0556dc61ee9912ae1647e9dcbbdd8fbcbfb4f56e77241f2315a7ca4f20c845.
The supplied content does not attribute VIPKeylogger to a named state-linked threat actor. One campaign assessment explicitly describes the operator as a financially motivated cybercriminal using commodity stealers and opportunistic phishing rather than an advanced persistent threat.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
33 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution is handled through WMI rather than direct process creation ... infare.Get("Win32_Process").Create(avaram, Null, circumsail, mayas)
The VBScript dropper ... launches PowerShell invisibly via WMI's Win32_Process.Create with ShowWindow=0
Stage 1: VBScript Dropper ... The actual payload is encoded using a hex-nibble scheme where individual hex characters are separated by the Unicode string ⩝Ɽ◮ڧᕒ
bên trong chứa một file js (Java script)... Hoạt động của script này như một dạng dropper, gồm các bước chính sau: Drop: Tạo file Anise.bat trong %TEMP%... Execute: Dùng WMI để chạy file .bat sau khi đã làm sạch.
The VBScript dropper uses a custom Unicode separator ... pads 15,896 junk lines of emoji-laden Unicode to inflate the file to 1.14 MB
The extracted assembly ... includes anti-analysis checks ... An encrypted configuration blob in the User Strings heap contains the Telegram bot token and SMTP credentials -- protected by Babel's obfuscation layer
The decoded PowerShell downloads a JPEG image from Cloudinary CDN ... with 1.55 MB of Base64-encoded .NET assembly appended after the image data.
kẻ tấn công sử dụng Base64, AES (CBC) để decrypt và Gzip để giải nén ra các payload
MITRE ATT&CK Mapping Tactic Technique ID Implementation Collection Input Capture: Keylogging T1056.001 VIPKeylogger variant
VIPKeylogger ... conducts victim recon via checkip.dyndns.org with a spoofed MSIE 6.0 User-Agent
Discovery System Information Discovery T1082 PC name, date/time collection
MITRE ATT&CK Mapping Tactic Technique ID Implementation Collection Data from Local System T1005 FTP clients, WinSCP, Outlook profiles
33 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
VIPKeylogger is listed among the password-stealing malware families distributed in the observed malspam campaigns, including order- and offer-themed emails.
Keylogger malware distributed via an Italian malspam campaign themed around requests.
A keylogging and credential-stealing malware family observed in Italian malspam campaigns during the reporting period.
A keylogger/stealer delivered through a phishing chain that uses VBScript, hidden PowerShell, steganographic payload delivery, in-memory .NET loading, and process hollowing into Caspol.exe. It performs victim reconnaissance, persistence via startup VBS and scheduled task, captures keystrokes, clipboard data, and screenshots, and exfiltrates data over SMTP and Telegram.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.