Tracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure

A multi-stage malware delivery campaign was uncovered, initially detected through a suspicious VBS file. The investigation revealed a complex attack infrastructure using Unicode obfuscation, PNG-based payload staging, and reflectively loaded .NET execution. The attacker utilized open directories to host multiple obfuscated VBS files, each mapping to different malware payloads including XWorm and Remcos RAT. A secondary infection vector involving a weaponized 'PDF' and batch script was also discovered. The campaign demonstrated a modular approach, allowing for payload rotation and multiple attack vectors from the same domain. This sophisticated infrastructure design enables rapid modification and expansion of available payloads without altering the initial delivery mechanism.

Pulse ID: 69c2502fe450207e3f4855c3
Pulse Link: https://otx.alienvault.com/pulse/69c2502fe450207e3f4855c3
Pulse Author: AlienVault
Created: 2026-03-24 08:49:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #NET #OTX #OpenThreatExchange #PDF #RAT #Remcos #RemcosRAT #VBS #Worm #XWorm #bot #AlienVault