Hackers Spread VIP Keylogger via Fake Business Emails

VIP Keylogger is being actively distributed via business-themed phishing emails using heavily obfuscated VBScript/JavaScript/BAT loaders and multi-stage PowerShell stagers. Attackers hide downloaders and payloads inside PNG images (steganography), decode and load modules in memory, and inject the final infostealer into legitimate .NET processes for stealth and persistence (registry-based autostart). The malware harvests browser credentials, cookies, clipboard contents, Wi‑Fi profiles, screenshots, and more, exfiltrating data to Telegram bots and C2 servers; the report includes numerous SHA256 IOCs and recommended telemetry to hunt and detect these behaviors.