LevelBlue SpiderLabs investigates a multi-stage delivery operation built on VBS loaders and open-directory hosting. The chain combines Unicode obfuscation, PNG-based staging and in-memory .NET execution, with follow-on payloads including XWorm variants and Remcos RAT. https://www.levelblue.com/blogs/spiderlabs-blog/tracing-a-multi-vector-malware-campaign-from-vbs-to-open-infrastructure