The decrypted payload is then injected into RegSvcs.exe using process hollowing techniques, allowing the VIP keylogger to execute within a legitimate Windows process and evade behavioral detection systems. These files serve distinct purposes in the infection chain, with leucoryx containing decryption keys while aveness houses the encrypted payload data. The malware employs a custom XOR decryption function identified as “KHIXTKVLO” to decrypt the payload directly in memory, avoiding disk-based detection mechanisms. Seqrite researchers identified this campaign through monitoring suspicious email traffic patterns and analyzing malicious attachments that appeared to be innocuous document files. This malware strain specifically targets web browsers including Chrome, Microsoft Edge, and Mozilla Firefox, systematically harvesting user credentials, monitoring clipboard activity, and logging keystrokes to capture sensitive information. This technique involves reading the encrypted content from leucoryx, applying the XOR decryption algorithm, and storing the resulting data in allocated memory structures. This latest iteration represents a significant evolution in the malware’s delivery mechanism, showcasing the threat actors’ adaptability and technical sophistication in bypassing modern security measures. The threat actors have refined their social engineering approach, using convincing financial document themes to lure victims into executing the malicious payload. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. The AutoIt script embedded within the initial executable immediately drops two encrypted files named “leucoryx” and “aveness” into the system’s temporary directory. A sophisticated new spear-phishing campaign has emerged, deploying the notorious VIP keylogger through carefully crafted email attachments that masquerade as legitimate payment receipts. The VIP keylogger, previously documented for its advanced data theft capabilities, has resurfaced with enhanced steganographic techniques and improved evasion tactics. The current campaign demonstrates a marked departure from earlier versions by incorporating an AutoIt-based injector system that significantly complicates detection and analysis efforts. This latest variant shows increased sophistication in its multi-stage deployment process and memory-resident execution techniques. Upon execution, the malware demonstrates remarkable technical complexity through its multi-layered infection process. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 31 Jul 2025 13:45:17 +0000