VIP Keylogger Campaign Uses Fake Business Documents to Steal Passwords, Cookies, and Crypto Wallets

A new wave of VIP Keylogger attacks is using phishing emails disguised as routine business documents to infect Windows systems and steal sensitive data. The campaign relies on fake payment notices, procurement orders, logistics updates, and other work-related lures to convince users to open malicious script files.

The latest analysis from the Splunk Threat Research Team shows that attackers are using Visual Basic Script, JavaScript, and batch file loaders to start the infection chain. These files use heavy obfuscation, hidden PowerShell stages, and steganography to avoid detection before installing the final malware payload.

VIP Keylogger can record keystrokes, steal browser credentials, capture screenshots, read clipboard data, extract Outlook-related registry data, collect Wi-Fi passwords, and send stolen information to command-and-control servers. The campaign matters because it turns simple phishing emails into a multi-stage credential theft operation that can expose personal accounts, business logins, crypto wallets, and internal network access.

How the VIP Keylogger Attack Starts

The attack begins when a victim opens a malicious file attached to, or linked from, a phishing email. The lure usually looks like a normal business message. Splunk says attackers have used themes such as bank payment notifications, procurement orders, and logistics updates to make the files look trustworthy.

Researchers analyzed more than 200 VIP Keylogger script loader samples collected between March and April 2026. Those samples showed repeated naming patterns, which suggests the attackers continue to rely on familiar business workflows to increase the chance that employees will open the files.

The infection chain then moves through several layers. Depending on the loader type, the malware can use junk code, hex-encoded strings, encrypted PowerShell, registry-based environment variables, or hidden payloads inside PNG image files.

VIP Keylogger Attack Chain at a Glance

Stage	What Happens	Why It Matters
Phishing lure	Attackers send fake business documents or payment-related files.	Users may trust the message because it matches routine work activity.
Script loader	The victim opens a VBS, JS, or BAT file.	The loader starts the malware chain while hiding its real purpose.
PowerShell stage	The loader runs encoded or encrypted PowerShell commands.	This helps attackers avoid basic security checks.
Steganography	Malicious data hides inside PNG image files.	The payload can look like a harmless image download.
Payload execution	VIP Keylogger runs and injects into a legitimate Windows process.	The malware becomes harder for users and defenders to spot.
Data theft	The malware steals credentials, screenshots, clipboard data, and other information.	Attackers can use the stolen data for account takeover, fraud, or further attacks.

The Malware Hides Payloads Inside PNG Images

One of the campaign’s more notable techniques involves steganography. The malware downloads two files with PNG extensions, but the files carry encoded malicious components instead of simple image content.

The Splunk Threat Research Team found that one PNG file carries an encoded downloader component, while the second contains the final VIP Keylogger payload. The malware decodes the hidden data and continues the infection chain without relying on an obvious executable download.

A separate SOC Prime summary of the research also highlights the same multi-layered approach, including malicious VBS, JavaScript, and batch loaders, as well as abuse of environment variables and PNG-based payload hiding.

Why the Loaders Are Hard to Analyze

The VBS loader pads its content with junk code to bury the real malicious payload. Once decoded, the script passes execution to a PowerShell stage that can temporarily store code in a user environment variable called INTERNAL_DB_CACHE.

The JavaScript loader follows a different path. It downloads a PowerShell stager that decodes and decrypts the next stage using base64 and AES. That stage can prepare the final malware for process injection.

The batch loader uses another trick. It hides a PowerShell stager below the visible batch code and can use the UserInitMprLogonScript registry key for persistence. That means the malware can run again when the user logs in.

What VIP Keylogger Steals From Infected PCs

Once active, VIP Keylogger focuses on data theft. It targets saved passwords, cookies, browsing history, download history, autofill data, credit card details, and other browser-stored information.

The malware also looks beyond browsers. Splunk says it can scan Discord local storage for tokens, mine the Windows registry for Outlook credentials, capture keystrokes, take screenshots, collect Wi-Fi passwords through Windows network commands, and gather system details such as hostname, IP address, country, and geolocation.

The older Seqrite Labs analysis of a VIP Keylogger phishing campaign also described the malware as a credential-stealing threat that targets browsers such as Chrome, Microsoft Edge, and Mozilla Firefox while monitoring clipboard activity.

Clipboard Hijacking Adds Financial Risk

VIP Keylogger also monitors clipboard content. When it sees a cryptocurrency wallet address, it can silently replace the copied address with one controlled by the attacker.

This creates a direct theft risk for users who copy and paste wallet addresses during transactions. If the user does not check the destination address before sending funds, the payment may go to the attacker instead.

The malware checks for several cryptocurrency formats, including Bitcoin, Monero, Stellar, Ethereum, Ripple, Litecoin, Bitcoin Cash, NEO, and DASH. That makes the clipboard feature useful for attackers targeting both individual users and business environments that handle crypto payments.

How VIP Keylogger Avoids Detection

• It uses phishing lures that look like normal workplace documents.
• It hides malicious code behind junk script content and encoded PowerShell.
• It stores temporary code in environment variables to reduce obvious files on disk.
• It hides payload data inside PNG files.
• It checks for sandbox and analysis environments.
• It can delete its own executable after running.
• It injects into legitimate Windows processes to blend in with normal activity.

These tactics do not make the malware invisible, but they make simple signature-based detection less reliable. Security teams need to watch behavior, not just file names or hashes.

That includes suspicious script execution, PowerShell commands launched by script files, abnormal registry changes, unexpected PNG downloads from unknown domains, and unusual process activity linked to aspnet_compiler.exe or other legitimate Windows components.

What Security Teams Should Monitor

Defenders should pay close attention to changes under HKCU\Environment, especially entries involving INTERNAL_DB_CACHE or unusually large environment variable values. Creation or modification of the UserInitMprLogonScript registry key also deserves investigation because attackers can use it for persistence.

Security teams should also monitor script-based parent processes that launch PowerShell or .NET payloads. DNS traffic to Telegram’s API domain can indicate command-and-control or data exfiltration activity, especially when it appears from endpoints that do not normally use Telegram services.

The SOC Prime write-up recommends isolating infected hosts, collecting volatile memory and process logs, hunting for registry artifacts, removing malicious scripts, and resetting exposed credentials when VIP Keylogger indicators appear.

How Users and Companies Can Reduce the Risk

• Do not open unexpected attachments that claim to be payment notices, purchase orders, shipping updates, or invoices.
• Block or quarantine script files such as VBS, JS, and BAT attachments when business use does not require them.
• Enable PowerShell script block logging on managed Windows devices.
• Use endpoint detection rules for suspicious registry changes and script-to-PowerShell execution.
• Turn on multi-factor authentication for email, cloud, banking, and admin accounts.
• Reset passwords if an endpoint shows signs of VIP Keylogger infection.
• Check cryptocurrency wallet addresses before confirming transactions.

VIP Keylogger campaigns show why phishing protection still needs several layers. User training helps, but companies also need attachment filtering, endpoint monitoring, PowerShell controls, and fast credential reset procedures.

The Seqrite Labs report from 2025 shows that VIP Keylogger has appeared in earlier phishing activity as well, including campaigns that delivered the malware through malicious email attachments. The latest activity shows that the operators continue to update delivery and evasion methods rather than relying on a single fixed infection chain.

FAQ