top of page

VIP Keylogger MaaS Campaign Leverages Steganography and In-Memory Execution for Credential Theft

March 11th, 2026

High

Our Cyber Threat Intelligence Unit is monitoring an ongoing campaign distributing the VIP Keylogger via phishing emails and malicious attachments, consistent with a Malware-as-a-Service (MaaS) model. K7 Labs recently documented this activity, noting multiple campaign instances targeting organizations across several countries, with variations in packaging style and execution methods. The campaign uses steganography techniques and in-memory execution to deliver the keylogger without writing the final payload to disk, effectively evading traditional file-based security controls. Once executed, VIP Keylogger collects credentials, browser data, and sensitive application data from infected systems. Since the malware targets many widely used browsers, email clients, and communication tools, it may expose a broad range of users and environments to credential compromise and account takeover. This campaign reflects a broader trend of threat actors using social engineering and layered, fileless execution techniques to bypass conventional security monitoring. 

Technical Details

Threat Type: Credential Stealer / Keylogger

Severity: High

Malware Model: Suspected Malware-as-a-Service (MaaS) / configurable payload offering

Affected Systems: Windows Endpoints

Attack Chain:

  • Initial Access: Phishing emails deliver malicious attachments disguised as business documents, such as purchase orders.

    • Attachments are distributed as RAR archives containing executables masquerading as legitimate files

      • e.g., a file named with an .xlsx extension but packaged as a .exe

  • Execution and Payload Delivery: K7 Labs identified two distinct execution chains within this campaign:

    • Case 1: Steganography-Based Delivery (.NET)

      • A .NET PE file contains two DLLs hidden within its resource section using steganography.

      • The first DLL (Turboboost.dll) retrieves the second DLL (Vertical bars.dll) from the resource section.

      • The second DLL contains the final VIP Keylogger payload embedded as a .PNG file, also concealed via steganography.

      • The payload is extracted and executed entirely in memory. It does not touch the disk.

    • Case 2: AES-Encrypted In-Memory Loading

      • A standard PE file carries AES-encrypted payload bytes within the .data section.

      • After decryption in memory, the loader patches AMSI (Anti-Malware Scan Interface) and ETW (Event Tracing for Windows) to disable security telemetry.

      • The keylogger payload is then loaded using the Common Language Runtime (CLR) entirely in memory.

  • Process Injection (Case 1): The loader performs process hollowing by creating a legitimate host process in suspended mode and injecting the malicious payload using the following Windows APIs:

    • CreateProcessA

    • VirtualAllocEx

    • WriteProcessMemory

    • ReadProcessMemory

    • ResumeThread

    • SetThreadContext / Wow64SetThreadContext

    • GetThreadContext / Wow64GetThreadContext

    • ZwUnmapViewOfSection

      • This technique allows the malware to execute under the context of a legitimate system process, reducing the likelihood of detection by behavior-based controls.

  • Active Credential Theft Capabilities: Once active, VIP Keylogger collects data from the following sources:

    • Browser credentials, cookies, saved autofill data, login data, credit card details, visited URLs, and download histories across a broad range of Chromium-based and Firefox-based browsers, including Chrome, Edge, Firefox, Brave, Opera, Vivaldi, Thunderbird, and others.

    • Email application credentials from Outlook (via registry), Foxmail (via account.rec0), Thunderbird, and Postbox.

    • Discord tokens (via LevelDB log files).

    • FileZilla recently connected server credentials (via recentservers.xml).

    • Pidgin account credentials (via accounts.xml).

  • Dormant Features: The analyzed samples contain code for the following capabilities, which were not executed during analysis:

    • Keystroke logging with foreground window tracking

    • Clipboard content capture

    • Screenshot capture

    • Wi-Fi credential harvesting

    • AntiVM, ProcessKiller, and Downloader functions (currently set to null)

      • These may be enabled in future variants or customer-configured deployments.

  • Data Exfiltration:

    • Stolen data can be transmitted via five channels:

      • SMTP

      • FTP

      • HTTP POST

      • Telegram

      • Discord

    • In the samples analyzed by K7 Labs, active exfiltration was conducted via SMTP using the sender address logs@gtpv[.]online, transmitting data to log@gtpv[.]online through the relay server hosting2[.]ro[.]hostsailor[.]com on port 587.

Image by ThisisEngineering

Impact

  • Credential Theft: Attackers may obtain login credentials stored across browsers and applications.

  • Unauthorized Account Access: Stolen credentials may allow attackers to access internal systems, cloud services, and sensitive organizational resources.

  • Sensitive Data Exposure: Financial information and personal data stored in browsers may be collected and exfiltrated.

  • Operational Risk: Compromised endpoints may serve as entry points for additional malware or lateral movement.

Detection Method

Security teams should monitor endpoint and network telemetry for the following behavioral indicators:

  • Email and Attachment Controls:

    • Monitor email gateways for inbound messages delivering compressed archives containing executable files disguised as business documents.

  • Endpoint Telemetry:

    • Windows Event ID 4688: Process creation events showing suspicious executables launched from archive extraction paths.

    • Sysmon Event ID 1: Process creation involving unknown executables extracted to temporary directories.

    • Abnormal parent-child process relationships, particularly legitimate Windows processes spawned from user-controlled directories.

    • Unusual executable creation or activity within %TEMP%, %APPDATA%, or user download directories.

  • Network Telemetry:

    • Outbound SMTP traffic on port 587 to unfamiliar or newly observed email infrastructure.

    • Connections to known C2 domains or IP addresses listed in Section 5.0.

    • FTP or HTTP POST communications to external hosts from endpoints without established business justification.

Indicators of Compromise

Type 

Indicator 

Description 

MD5 

D1DF5D64C430B79F7E0E382521E96A14 

Malware sample — Trojan 

MD5 

E7C42F2D0FF38F1B9F51DC5D745418F5 

Malware sample — Trojan 

MD5 

EA72845A790DA66A7870DA4DA8924EB3 

Malware sample — Trojan 

MD5 

694C313B660123F393332C2F0F7072B5 

Malware sample — Spyware 

Domain 

varders[.]kozow[.]com 

Command and control domain 

Domain 

aborters[.]duckdns[.]org 

Command and control domain 

Domain 

anotherarmy[.]dns[.]army 

Command and control domain 

IP Address 

51[.]38[.]247[.]67 

Known malicious C2 server 

Email Address 

logs@gtpv[.]online 

Observed SMTP exfiltration sender address sourced from K7 Labs exfiltration analysis of active samples. 

Email Address 

log@gtpv[.]online 

Observed SMTP exfiltration recipient address sourced from K7 Labs exfiltration analysis of active samples. 

Domain 

hosting2[.]ro[.]hostsailor[.]com 

SMTP relay server used for data exfiltration sourced from K7 Labs exfiltration analysis of active samples. 


mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Organizations should take the following actions to reduce exposure to this campaign:

  • Deploy endpoint protection capable of detecting in-memory execution, process hollowing, and AMSI/ETW patching activity.

  • Block inbound email attachments consisting of executable files packaged within compressed archives where there is no legitimate business need.

  • Conduct phishing awareness training focused on invoice, purchase order, and business document lures.

  • Monitor endpoint activity for suspicious process creation, memory injection patterns, and abnormal parent-child process relationships.

  • Implement network-level monitoring to detect unusual outbound communication via SMTP, FTP, or HTTP POST to unrecognized infrastructure.

  • Enforce multi-factor authentication across all user accounts, prioritizing those with access to sensitive systems and cloud services.

  • Review and restrict access to communication platforms such as Discord and Telegram from corporate endpoints where not operationally required.

Conclusion

This VIP Keylogger campaign demonstrates how phishing delivery, combined with in-memory execution, steganography, and security-control patching, can support large-scale credential-theft operations while evading conventional detection. The malware's broad targeting of applications, spanning browsers, email clients, and communication tools, increases the risk of significant credential exposure across affected environments. Organizations should prioritize phishing awareness, robust endpoint visibility, and detection of suspicious process activity and outbound communications to reduce the likelihood of compromise from this campaign.

bottom of page