Tracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure 

LevelBlue SpiderLabs investigated a multi-stage, modular malware campaign initially detected via a blocked VBS file; analysis revealed Unicode-obfuscated VBS launchers that decode to Base64 PowerShell loaders which fetch PNG files containing Base64-encoded .NET assemblies (PhantomVAI) that load additional payloads in-memory (including Remcos RAT, XWorm variants, and UAC-bypass DLLs). The attacker hosted reusable, openly browsable directories across domains (news4me.xyz and multiple Cloudflare-backed hosts) enabling payload rotation and alternative vectors (malicious ZIPs, Internet Shortcuts, BAT scripts), and the report includes extensive IoCs, hashes, and defensive mitigations.