Spear Phishing Campaign Delivers VIP Keylogger via EMAIL Attachment

This report analyzes a spear‑phishing campaign that distributes a VIP Keylogger using an AutoIt-based injector: a malicious ZIP attachment runs an AutoIt script that decrypts payloads dropped to Temp, injects a .NET keylogger into RegSvcs.exe via process hollowing, establishes persistence with a startup VBScript, and exfiltrates stolen data to SMTP and a C2 server. The document includes technical details of the AutoIt decryption routine, memory injection steps, process tree visuals, IOCs (MD5s and an IP), MITRE ATT&CK mappings, and suggested detection labels.