Open Directory Malware Campaign Uses Obfuscated VBS, PNG Loaders and RAT Payloads

Home Cyber Security News Open Directory Malware Campaign Uses Obfuscated VBS, PNG Loaders and RAT Payloads A sophisticated multi-stage malware campaign has surfaced, deploying obfuscated Visual Basic Script (VBS) files, PNG-embedded loaders, and remote access trojans (RATs) to target systems without leaving a trace on disk. What began as a routine endpoint detection in early 2026 quickly revealed itself to be far more organized than a single opportunistic attack, exposing a reusable delivery framework capable of pushing different malware payloads across separate attack chains from one shared infrastructure. The first sign of the campaign was a suspicious VBS file named Name_File.vbs, found in the \Users\Public\Downloads\ directory of a compromised endpoint. SentinelOne endpoint protection caught and quarantined the file before it could fully run. Even so, the encoded content inside the script warranted a closer look. When decoded, it exposed a Base64-encoded PowerShell command with embedded external network references — a clear signal that the file was designed to pull additional components from a remote server. LevelBlue analysts identified that this single endpoint alert was a window into a much larger operation. The investigation, carried out by LevelBlue’s SpiderLabs Cyber Threat Intelligence team, uncovered an attacker-controlled domain hosting multiple obfuscated VBS files, each linked to a different malware payload — including XWorm variants and Remcos RAT stored as text files. A separate infection chain tied to a fake PDF was also active on the same infrastructure, confirming the campaign’s deliberate, multi-vector design. The attacker’s infrastructure centered on openly accessible directories within the domain news4me[.]xyz, including /coupon/, /protector/, and /invoice/. Each directory served a distinct role — staging VBS launchers, hosting obfuscated payload files, or delivering entirely separate infection vectors. This open-directory setup was not accidental; it let the attacker quickly update, rotate, or expand hosted payloads without modifying the core delivery logic, creating a flexible, scalable system capable of staying operational even after partial detection. Inside the Infection Mechanism: VBS to In-Memory RAT Execution The infection begins with a VBS file that acts purely as a launcher, carrying no active malicious code of its own. Name_File.vbs content (Source – LevelBlue) The script is buried beneath layers of Unicode obfuscation. Stripping those characters exposes the raw encoded script in a Base64-encoded PowerShell command that serves as the true engine of the attack. Name_File.vbs Unicode removal (Source – LevelBlue) That PowerShell command functions as a fileless loader. It enforces TLS 1.2 and uses the Net.WebClient class to fetch a remote file from an Internet Archive URL. Name_File.vbs decoded PowerShell command (Source – LevelBlue) Instead of pulling a traditional executable, it downloads a PNG image — MSI_PRO_with_b64.png. The file looks ordinary, but hidden inside it — between custom BaseStart and BaseEnd markers. This assembly, known as PhantomVAI, loads directly into memory via Reflection.Assembly::Load, running entirely in RAM and bypassing most file-based security controls. Once running, PhantomVAI passes two URLs into its VAI method for follow-on execution. The first, news4me[.]xyz/protector/johnremcos.txt, contains an obfuscated string that decodes into a working instance of Remcos RAT, giving the attacker persistent remote access to the machine. The second URL delivers uac.png, a PNG file carrying a UAC Bypass DLL in the same embedded format — designed to silently escalate privileges. Together, these payloads hand the attacker full control while leaving virtually no traditional file artifacts behind. Organizations should restrict .vbs and .bat execution from user-writable directories such as \Users\Public\ and enforce constrained PowerShell policies with in-memory execution logging. At the network level, blocking WebDAV-based connections and filtering .xyz top-level domains can limit access to the attacker infrastructure identified in this campaign. Endpoint protection must be paired with deeper threat intelligence investigation — stopping one alert is not sufficient when the broader infrastructure remains active and ready to deploy from alternate vectors. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Mirai-Based Botnets Evolve Into Massive DDoS and Proxy Abuse Threat Cyber Security News Linux Ransomware Pay2Key Attacking Organizations Ervers, Virtualization Hosts, and Cloud Workloads ANY.RUN macOS Threats Are the Biggest Security Gap in 2026: How SOC Teams Close It  Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026