{ "id": "af696bc1-68f4-4457-a24f-918bdbffd908", "created_at": "2026-04-06T00:08:33.517342Z", "updated_at": "2026-04-10T03:35:25.249027Z", "deleted_at": null, "sha1_hash": "6eb9ca06300aeeb19caf2fb0c6fa79fab5bf7b8f", "title": "VIPKeyLogger Infostealer in the Wild", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3905611, "plain_text": "VIPKeyLogger Infostealer in the Wild\r\nPublished: 2024-12-13 · Archived: 2026-04-05 20:12:57 UTC\r\n1. Home\r\n2. VIPKeyLogger Infostealer In The Wild\r\nData Security,Awareness\r\nPrashant Kumar\r\nResearch\r\nEmail Security\r\nData Security Everywhere\r\nInfostealers are a type of trojan used extensively by malware authors to harvest sensitive data types like login\r\ndetails, financial information, system data and personal identifiable information. \r\nRecently, we observed an increase in activity from a new infostealer known as VIPKeyLogger. In this blog post,\r\nwe will analyze it in more detail.\r\nVIPKeyLogger shares a lot in common with the subscription-based Snake Keylogger, which is also known as 404\r\nKeylogger.\r\nhttps://www.forcepoint.com/blog/x-labs/vipkeylogger-infostealer-malware\r\nPage 1 of 10\n\nThis new infostealer circulates through phishing campaigns as an attachment that takes the form of an archive or\r\nMicrosoft 365 files. The archive contains executable content in Microsoft Office files spread via C2.\r\nAttack chain:\r\nEmail file:\r\nFig. 1 - Original email\r\nMalicious Doc file\r\nhttps://www.forcepoint.com/blog/x-labs/vipkeylogger-infostealer-malware\r\nPage 2 of 10\n\nFig. 2 - Malicious document\r\nThe file looks like other files related to CVE-2017-11882. On dissecting the file, we see it’s an rtf file from the\r\nfile headers.\r\nFig. 3 - File header\r\nOn checking a dump of the file, we find objdata below, which contains encoded contents.\r\nFig. 4 - Dump of RTF file\r\nFrom here, we can dump the objdata to see the content itself.\r\nhttps://www.forcepoint.com/blog/x-labs/vipkeylogger-infostealer-malware\r\nPage 3 of 10\n\nFig. 5 - Dumped content\r\nFor the next part, we dump other objects. From there, we can see some content related to object data that further\r\nresolves to an URL and downloads malicious executable.\r\nFig. 5.1 - Partial content of RTF file\r\nOn removing blank lines and whitespaces, we can restore the object data which is responsible for forming a URL: \r\nhttps://www.forcepoint.com/blog/x-labs/vipkeylogger-infostealer-malware\r\nPage 4 of 10\n\nFig. 6. - Restored object\r\nThe content in Fig. 6 is responsible for connecting to URL “http[:]//87[.]120.84.39/txt/xXdqUOrM1vD3An[.]exe\r\nand downloading malicious file.\r\nThe downloaded file is found to be a .NET compiled file as shown below in Fig. 7:\r\nFig. 7 - .NET compiled file\r\nNext step, we look closer using DnSpy. The actual file loads with name skkV[.]exe irrespective of the actual file\r\nname.\r\nFig. 8 - DnSpy view of the file\r\nThe file contains several classes. Execution starts from MainForm() class which has several ToCharArray\r\nconversions.\r\nhttps://www.forcepoint.com/blog/x-labs/vipkeylogger-infostealer-malware\r\nPage 5 of 10\n\nFig. 9 - Main Initialization\r\nUnder the Resource section, there is a bitmap image named “vmGP” which looks like noisy, grainy image. The\r\nobfuscated code is hidden in this stenographic image.\r\nFig. 10 - Stenographic image\r\nOn further analysis, we found that this payload exfiltrates various data such as PC names, country names,\r\nclipboard data, screenshots, cookies, bowser history and more. It sends harvested information via Telegram to\r\nDynamic DuckDNS servers from the file loaded into memory as shown in the four images below:\r\nhttps://www.forcepoint.com/blog/x-labs/vipkeylogger-infostealer-malware\r\nPage 6 of 10\n\nFig. 11 - Harvested data types\r\nFig. 11.2 - Examples of exfiltrated data\r\nFig 11.3 - More examples of exfiltrated data\r\nhttps://www.forcepoint.com/blog/x-labs/vipkeylogger-infostealer-malware\r\nPage 7 of 10\n\nFig. 11.4 - Dumped strings of PE file in memory\r\nConclusion:\r\nKeyloggers are one of the most common threats in a hacker's arsenal. They are delivered through phishing\r\ncampaigns hosting malicious attachments in the form of a lure.  These infected files exist to steal as much\r\ninformation from a victim’s system as possible. \r\nWhen users click the bait to open the archive file, it drops/downloads the infected file in temporary or startup\r\nfolder for persistence. When opened, the Microsoft 365 or archive file attachment downloads a file in\r\n%AppData\\Roaming% directory, executes and deletes itself and copies injected content to the actual file where it\r\nwas executed. It then performs series of data exfiltration such as recording keystrokes, collecting information like\r\nclipboard data, screenshots, browser history, cookies and email configuration details. It sends the harvested data\r\nvia Telegram to Dynamic DuckDNS C2 servers.\r\nProtection statement\r\nForcepoint customers are protected against this threat at the following stages of attack:\r\nStage 2 (Lure) – Malicious attachments associated with these attacks are identified and blocked.\r\nStage 3 (Redirect) – Blocked URLs which downloads further payload\r\nStage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.\r\nStage 6 (Call Home) - Blocked C2 credentials\r\nIOCs\r\nRTF hash a7fb35d35eb23fe3b4358e3c843f5982a161534e\r\nDropped exe 2830f9d5f41bbecd2ae105ed0b9a8d49327c8594\r\nMalicious URL\r\nhxxp://87.120.84[.]39/txt/xXdquUOrM1vD3An.exe\r\nhxxp://51.38.247[.]67:8081/_send_.php?L\r\nC2\r\nvarders.kozow[.]com:8081\r\naborters.duckdns[.]org:8081\r\nanotherarmy.dns[.]army:8081\r\nmail.jhxkgroup[.]online\r\nhttps://www.forcepoint.com/blog/x-labs/vipkeylogger-infostealer-malware\r\nPage 8 of 10\n\nPrashant Kumar\r\nPrashant serves as a Security Researcher for the X-Labs Threat Research Content. He spends his time\r\nresearching web and email-based cyberattacks with a particular focus on URL research, email security and\r\nanalyzing malware campaigns.\r\nRead more articles by Prashant Kumar\r\nIn the Article\r\nMicrosoft 365 Data Security Playbook\r\nhttps://www.forcepoint.com/blog/x-labs/vipkeylogger-infostealer-malware\r\nPage 9 of 10\n\nX-Labs\r\nGet insight, analysis \u0026 news straight to your inbox\r\nBy submitting this form, you agree to our terms and to receiving communications from Forcepoint, you\r\nacknowledge our privacy policy and you consent to the processing of your data. You can unsubscribe at any time.\r\nSource: https://www.forcepoint.com/blog/x-labs/vipkeylogger-infostealer-malware\r\nhttps://www.forcepoint.com/blog/x-labs/vipkeylogger-infostealer-malware\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.forcepoint.com/blog/x-labs/vipkeylogger-infostealer-malware" ], "report_names": [ "vipkeylogger-infostealer-malware" ], "threat_actors": [ { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434113, "ts_updated_at": 1775792125, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6eb9ca06300aeeb19caf2fb0c6fa79fab5bf7b8f.pdf", "text": "https://archive.orkl.eu/6eb9ca06300aeeb19caf2fb0c6fa79fab5bf7b8f.txt", "img": "https://archive.orkl.eu/6eb9ca06300aeeb19caf2fb0c6fa79fab5bf7b8f.jpg" } }