Skip to content
Malware family

VIPKeylogger

VIPKeylogger is a password-stealing malware family frequently observed in malspam campaigns, especially campaigns targeting Italy with business-themed lures such as orders, requests, quotes, offers, invoices, documents, payments, shipments, reservations, purchases, bank transfers, and notices.

Profile source: Mallory opens in a new tab

VIPKeylogger

Family profile

VIPKeylogger is a password-stealing malware family frequently observed in malspam campaigns, especially campaigns targeting Italy with business-themed lures such as orders, requests, quotes, offers, invoices, documents, payments, shipments, reservations, purchases, bank transfers, and notices. Across the provided reporting, it is repeatedly classified alongside commodity stealers and RATs such as AgentTesla, FormBook, Remcos, PureHVNC, PhantomStealer, PureLogs, STRRAT, QuasarRAT, XWormRAT, and Ave_Maria. Multiple reports explicitly describe VIPKeylogger as a variant or rebrand of SnakeKeylogger, also known as 404 Keylogger.

High-confidence delivery vectors in the content include phishing emails carrying malicious attachments and multi-stage loaders. One analyzed DHL-themed campaign used a three-stage chain consisting of an obfuscated VBScript dropper, hidden WMI-spawned PowerShell, a steganographic JPEG hosted on Cloudinary containing appended Base64-encoded .NET data, reflective in-memory loading, and process hollowing into Caspol.exe. The .NET payload was Babel-obfuscated, included anti-analysis checks for dnSpy, vsdbg, de4dot, CheckRemoteDebuggerPresent, IsDebuggerPresent, and NtQueryInformationProcess, performed victim reconnaissance via checkip.dyndns.org and reallyfreegeoip.org, and established persistence through a startup VBS item and a scheduled task. Another campaign used NSIS installer wrappers with encrypted shellcode to deliver VIPKeylogger via GuLoader. A separate Vietnam-focused tax-themed phishing case used an obfuscated JavaScript dropper that created and executed a batch file via WMI, followed by PowerShell using Base64, Gzip, AES-CBC, and .NET reflection loading; the final dumped payload was identified as VIPKeylogger.

The malware’s core behavior in the provided content is credential and information theft. Reported stolen data includes browser passwords, email credentials, FTP credentials, WinSCP secrets, and Outlook profile data. Exfiltration methods explicitly observed include Telegram, SMTP, and FTP. In one GuLoader-linked campaign, VIPKeylogger used the Telegram Bot API with bot token 8729572560:AAH7-pGiLevApfXHCGKQfSyCpF9fVTqxN9Q and chat ID 8277275661; the same broader operation also used FTP infrastructure at holzbrenzii[.]com (198[.]27[.]80[.]139), where investigators found an open directory listing exposing 52 stolen credential files from 27 victim machines, and a secondary FTP domain corwineagles[.]com (162[.]241[.]123[.]75). In the DHL-themed SnakeKeylogger/VIPKeylogger campaign, exfiltration occurred via SMTP to mail.miniorangeman.com:587 using result@miniorangeman.com with password bK6s^&G{UAh)Qh{7}, and via Telegram using an encrypted bot token. The SMTP server resolved to 185.196.9.150, while the campaign C2 used 144.172.105.88. In the Vietnam-themed case, the final payload reportedly sent collected victim information to an attacker-controlled address, though the destination was not specified in the provided content.

The content associates VIPKeylogger primarily with financially motivated, opportunistic phishing operations rather than an advanced persistent threat. One analyzed campaign primarily targeted Italian businesses but also affected international victims. Another campaign exploited Vietnamese tax-policy themes and impersonated the tax authority. Notable file and payload indicators directly mentioned in the content include the final dumped VIPKeylogger payload SHA-256 ef0556dc61ee9912ae1647e9dcbbdd8fbcbfb4f56e77241f2315a7ca4f20c845 from the Vietnam case; the Babel-obfuscated .NET payload SHA-256 240068f98bd3e3213351ebdac3a0e9657f9a17506e43425ea3ed19f14e17cf21 from the DHL-themed campaign; the Cloudinary carrier JPEG SHA-256 b23f06a5bf75ae2335bac792574cb3bc5fdc11755f5f4a75617eb99fd3a56104; and the initial VBScript dropper 17aaf09246b97db19f735f2fe9e26708.vbs.

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 16, 2026
Last activity
Jul 18, 2026
Feed role
C2
Host form
0 IP / 2 hostnames

Leading locations

  • DE1
  • ES1

Leading providers

  • AXARNET COMUNICACIONES, S.L.1
  • Hetzner Online GmbH1

Infrastructure traits

  • Hosting 2

Samples

Recent associated samples

MITRE ATT&CK

VIPKeylogger in ATT&CK

36 distinct techniques

Reporting

Research mentioning VIPKeylogger

Jun 1
Virit

News - Malware & Hoax - TG Soft Cyber Security Specialist

This week was characterised by Password Stealers from the following families: AgentTesla, Bot_Rust, FormBook, PureHVNC, Remcos and VIPKeylogger.

Apr 20
Virit

News - Malware & Hoax - TG Soft Cyber Security Specialist

20/05/2026 VIPKeylogger - spread through a campaign themed "Orders".

Apr 13
Virit

News - Malware & Hoax - TG Soft Cyber Security Specialist

13/05/2026 VIPKeylogger - spread through a campaign themed: "Requests".

Apr 6
Virit

News - Malware & Hoax - TG Soft Cyber Security Specialist

This week was dominated by Password Stealers from the following families: FormBook, PureHVNC, Remcos and VIPKeylogger.

Mar 15
Breakglass Intel

Competent Malware, Incompetent Infrastructure: A VIPKeylogger Operator Builds a Steganographic Kill Chain, Leaves XAMPP Dashboard Open, and Leaks Their Own SMTP Credentials - Breakglass Intelligence - Breakglass Intelligence

TL;DR: A VIPKeylogger campaign (SnakeKeylogger variant) delivered via DHL-themed phishing uses a three-stage infection chain ... Stage 3: VIPKeylogger (SnakeKeylogger Variant) ... VIPKeylogger is a direct variant/rebrand of SnakeKeylogger (also known as 404 Keylogger) that uses dual-channel exfiltration -- both SMTP and Telegram simultaneously.

Mar 15
Breakglass Intel

Competent Malware, Incompetent Infrastructure: A VIPKeylogger Operator Builds a Steganographic Kill Chain, Leaves XAMPP Dashboard Open, and Leaks Their Own SMTP Credentials - Breakglass Intelligence - Breakglass Intelligence

TL;DR: A VIPKeylogger campaign (SnakeKeylogger variant) delivered via DHL-themed phishing uses a three-stage infection chain ... Stage 3: VIPKeylogger (SnakeKeylogger Variant) ... VIPKeylogger is a direct variant/rebrand of SnakeKeylogger (also known as 404 Keylogger) that uses dual-channel exfiltration -- both SMTP and Telegram simultaneously.

Mar 12
Breakglass Intel

GuLoader Ships Dual Stealers to Italian Businesses While Its Open FTP Directory Leaks 52 Credential Dumps from 27 Victims in Real Time - Breakglass Intelligence - Breakglass Intelligence

Both samples use NSIS installer wrappers with multi-layer encrypted shellcode to deliver Agent Tesla (SMTP exfiltration) and VIPKeylogger (Telegram exfiltration).

Feb 16
Virit

News - Malware & Hoax - TG Soft Cyber Security Specialist

The week was characterized by Password Stealer of the Families: FormBook, Remcos, VIPKeylogger and XWormRAT ... 18/03/2026 VIPKeylogger - spread through a campaign themed "Requests". 20/03/2026 VIPKeylogger - spread through a campaign themed "Requests".

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.