Listen to this Post
A New Wave of Stealth Attacks Is Exploiting VBScript and Registry Abuse
A highly sophisticated cyberattack campaign has been uncovered by Seqrite Labs, spotlighting an evolved variant of the infamous Masslogger credential stealer. This latest version leverages fileless techniques, multi-stage in-memory execution, and Windows Registry manipulation to avoid detection and persist on compromised systems. The attackers use cleverly obfuscated VBScript files, spread via spam emails and drive-by downloads, to execute their payload without ever dropping traditional files on disk—effectively bypassing many antivirus defenses. Designed to remain invisible and difficult to analyze, this malware raises the stakes for both defenders and organizations worldwide.
How the Fileless Malware Campaign Operates
The campaign begins with a .VBE (VBScript Encoded) file, which arrives through phishing or malicious download channels. Encoded with Microsoft’s native VBE method, the script is unreadable at first glance. Once decoded, security researchers found several layers of obfuscation that complicate detection and delay reverse engineering. Upon execution, the script stealthily interacts with the Windows Registry, planting obfuscated values that include PowerShell commands, .NET assemblies, and logic flags.
Instead of creating any disk files, the malware relies on registry-based payload staging. It checks for the presence of MSBuild.exe in the .NET Framework directory to decide which version of its stager to deploy. This dynamic behavior allows it to function effectively across different environments. From there, it runs two .NET-based stagers, both loaded directly into system memory through carefully constructed PowerShell commands.
The first stager retrieves its code from registry values, decodes it, and loads it into memory. It then triggers a second stager, also stored in reverse format within the registry. This one reconstructs the full Masslogger payload, splitting its components across multiple registry keys for stealth. The payload then executes via process hollowing, hijacking a legitimate Windows process—specifically AddInProcess32.exe.
Persistence is maintained by creating a scheduled task that runs a VBS script every minute, using PowerShell’s SendKeys to mimic user behavior. Meanwhile, the malware checks the system for the presence of security software, and if it finds multiple protections in place, it aborts execution to avoid detection.
A unique feature of the campaign is geo-targeted payloads. For example, systems in France trigger the download of additional malware from a remote URL. Once fully active, Masslogger steals credentials, autofill data, clipboard content, screenshots, and logs keystrokes, sending them through encrypted FTP, SMTP, or Telegram channels depending on the attacker’s setup.
This fileless, registry-based method leaves little forensic evidence behind, making it harder than ever to trace. Security professionals must now shift toward behavioral analysis tools rather than relying solely on signature-based detection.
What Undercode Say:
Evolution of Malware: From Files to Registry
The Masslogger campaign exemplifies the ongoing evolution of malware tactics—from disk-based infections to fileless, in-memory threats. By embedding its payloads into Windows Registry and avoiding disk writes, the malware sidesteps traditional antivirus tools, which are typically designed to monitor file activity.
VBScript Returns as a Weapon
Despite being decades old, VBScript remains a potent tool for attackers due to its native support in Windows and deep integration with PowerShell. Encoding it into .VBE adds another layer of complexity, allowing the script to mask its contents from most email filters and basic scanners.
Registry: The New Malware Battlefield
Registry abuse is central to this campaign. It’s used not only for storing payloads but also for flags, execution logic, and staging components. This technique enables multi-stage execution without ever touching the disk, allowing attackers to build stealthy, modular malware systems.
Memory-Only Execution and Obfuscation
By loading both stagers directly into memory using obfuscated PowerShell, the malware avoids creating executable files. Memory-only execution reduces forensic visibility and frustrates post-infection analysis. This approach mirrors tactics used by nation-state actors and APT groups, indicating a high level of operational maturity.
Process Hollowing for Stealth Execution
Process hollowing is a tried-and-true method in the malware arsenal. By injecting malicious code into a legitimate process (AddInProcess32.exe), the malware camouflages its operations, making it appear as if a trusted application is running.
Geo-Targeting: A Tailored Threat
The
Scheduled Tasks and Persistence
The use of a scheduled task running every minute shows an aggressive persistence strategy. Leveraging SendKeys to simulate activity adds to its evasiveness, tricking some behavioral monitoring tools into ignoring its activity.
Evasion of Security Tools
Masslogger checks registry locations commonly used by antivirus software. If it finds too many protections active, it shuts down—demonstrating its sandbox-awareness and evasion capabilities. This is particularly dangerous, as it can quietly bypass corporate defenses in hardened environments.
Data Exfiltration via Multiple Channels
The use of FTP, SMTP, and Telegram for data exfiltration offers flexibility and resilience. Telegram, in particular, has become a go-to choice for malware authors due to its encrypted and widely available nature.
Broader Implications for Cyber Defense
This campaign highlights a fundamental shift in malware engineering. Defensive teams must evolve from signature-based systems to behavioral and heuristic detection. Threat hunting must now include registry activity analysis, memory scanning, and scheduled task auditing.
🔍 Fact Checker Results:
✅ Registry-based malware is a known and validated method for fileless attacks
✅ Masslogger is an established credential stealer with prior campaigns documented by multiple security vendors
✅ Use of PowerShell, obfuscation, and geo-targeting tactics are common in modern APT and cybercrime operations
📊 Prediction:
📌 Fileless malware will become more prevalent in 2025, with a sharp rise in registry and memory-based payloads
📌 Organizations relying only on traditional antivirus will face increasing risk of stealthy credential theft attacks
📌 Expect new waves of geo-targeted malware focused on Europe, with France, Germany, and Italy as primary targets
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
