Multiple phishing campaigns delivered SnakeKeylogger, VIPKeylogger, and Agent Tesla through layered infection chains that used obfuscated VBScript or PowerShell droppers, steganographic payload staging on Cloudinary, Internet Archive abuse, reflective in-memory .NET loading, and process hollowing into legitimate Windows binaries such as Caspol.exe, Aspnet_compiler.exe, and RegAsm.exe. One DHL-themed operation used a VIPKeylogger variant identified as a SnakeKeylogger rebrand, while a separate GuLoader campaign targeted Italian businesses with NSIS-wrapped stealers and business email compromise-style lures. Across the campaigns, the malware stole browser passwords, email and FTP credentials, Outlook and WinSCP secrets, Discord tokens, Wi-Fi passwords, screenshots, clipboard data, and keystrokes, then exfiltrated data over SMTP, Telegram, and FTP.
Investigators found repeated operator OPSEC failures that exposed active criminal infrastructure and victim data. A VIPKeylogger/SnakeKeylogger operator left a stock XAMPP dashboard and internet-accessible WinRM open on 144.172.105.88, while sandboxing captured plaintext SMTP credentials tied to result@miniorangeman.com on 185.196.9.150; although that C2 was taken offline shortly after detection, the Cloudinary-hosted payload and SMTP infrastructure reportedly remained live. In a separate GuLoader operation, an open FTP directory on holzbrenzii[.]com exposed 52 credential dumps from 27 victim machines in real time. Another SnakeKeylogger v4.4 campaign linked distinct droppers to the same backend through shared C2 strings, DDNS infrastructure, and staging artifacts, showing that technically capable malware operators repeatedly undermined their own campaigns by exposing panels, credentials, and stolen data.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
11 events from the most recent confirmed update back to the earliest known activity.
The VIPKeylogger command-and-control server went offline within hours of detection on March 14, 2026. However, the Cloudinary-hosted payload and SMTP exfiltration infrastructure remained live afterward.
Investigation of the DHL-themed campaign found the command-and-control server at 144.172.105.88 exposed a stock XAMPP dashboard and open WinRM, while sandboxing captured plaintext SMTP credentials for result@miniorangeman.com. The infrastructure included Cloudzy/RouterHosting-hosted C2 and a separate SMTP exfiltration server at 185.196.9.150.
A DHL-themed phishing campaign delivered a VIPKeylogger variant identified as a SnakeKeylogger rebrand through a three-stage chain using an obfuscated VBScript dropper, a steganographic JPEG on Cloudinary, hidden WMI-spawned PowerShell, reflective .NET loading, and process hollowing into Caspol.exe. The malware also used anti-analysis checks, persistence mechanisms, and dual-channel exfiltration via SMTP and Telegram.
At the time of investigation, the OVH-hosted panel at 51.38.247.67:8081 appeared offline, while varders[.]kozow[.]com resolving to 192.169.69.26 was assessed as potentially active infrastructure. This indicated at least partial disruption or migration of the actor's backend.
Analysis revealed one chain used rotational XOR decryption and process hollowing into Aspnet_compiler.exe, while the other abused Internet Archive and ByetHost before hollowing RegAsm.exe. The campaign used triple-redundant DDNS plus a hardcoded OVH IP, with poor OPSEC exposing links between the two chains.
In March 2026, two distinct SnakeKeylogger droppers were uploaded to MalwareBazaar within 48 hours, one PowerShell sample from Germany and one VBScript sample from Sweden. Despite different delivery chains, both converged on the same backend infrastructure and were assessed as operated by the same actor.
Researchers found the campaign FTP server holzbrenzii[.]com had directory listing enabled, exposing 52 stolen credential files from 27 victim machines. Fresh uploads were still appearing on the day of analysis, showing the theft operation was ongoing.
Two GuLoader malware samples tied to the Italian credential-theft campaign were submitted to MalwareBazaar on March 9 and 10, 2026. The samples used NSIS installer wrappers with encrypted shellcode to deliver Agent Tesla and VIPKeylogger.
By early March 2026, an active GuLoader phishing campaign was delivering Agent Tesla and VIPKeylogger primarily to Italian businesses using Italian- and English-language lures. Investigators later found the operation was financially motivated and opportunistic rather than APT-linked.
A broader SnakeKeylogger/VIPKeylogger operation was active by February 2026, with more than 50 related samples across two imphash clusters and supporting infrastructure set up for credential theft. The campaign used shared hosting, phishing lures, and multiple exfiltration channels including SMTP, Telegram, and FTP.
Symantec reported multiple malicious email campaigns distributing VIP Keylogger through impersonation lures such as purchase orders, quotations, shipment notices, and sales contracts. The activity targeted organizations across multiple countries and sectors using ZIP archives containing executables disguised as business documents.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
research.splunk.com
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourcebroadcom.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.