Last seven days
- First activity
- Jul 16, 2026
- Last activity
- Jul 18, 2026
- Feed role
- C2
- Host form
- 0 IP / 2 hostnames
VIPKeylogger is a password-stealing malware family frequently observed in malspam campaigns, especially campaigns targeting Italy with business-themed lures such as orders, requests, quotes, offers, invoices, documents, payments, shipments, reservations, purchases, bank transfers, and notices.
Profile source: Mallory opens in a new tabVIPKeylogger
VIPKeylogger is a password-stealing malware family frequently observed in malspam campaigns, especially campaigns targeting Italy with business-themed lures such as orders, requests, quotes, offers, invoices, documents, payments, shipments, reservations, purchases, bank transfers, and notices. Across the provided reporting, it is repeatedly classified alongside commodity stealers and RATs such as AgentTesla, FormBook, Remcos, PureHVNC, PhantomStealer, PureLogs, STRRAT, QuasarRAT, XWormRAT, and Ave_Maria. Multiple reports explicitly describe VIPKeylogger as a variant or rebrand of SnakeKeylogger, also known as 404 Keylogger.
High-confidence delivery vectors in the content include phishing emails carrying malicious attachments and multi-stage loaders. One analyzed DHL-themed campaign used a three-stage chain consisting of an obfuscated VBScript dropper, hidden WMI-spawned PowerShell, a steganographic JPEG hosted on Cloudinary containing appended Base64-encoded .NET data, reflective in-memory loading, and process hollowing into Caspol.exe. The .NET payload was Babel-obfuscated, included anti-analysis checks for dnSpy, vsdbg, de4dot, CheckRemoteDebuggerPresent, IsDebuggerPresent, and NtQueryInformationProcess, performed victim reconnaissance via checkip.dyndns.org and reallyfreegeoip.org, and established persistence through a startup VBS item and a scheduled task. Another campaign used NSIS installer wrappers with encrypted shellcode to deliver VIPKeylogger via GuLoader. A separate Vietnam-focused tax-themed phishing case used an obfuscated JavaScript dropper that created and executed a batch file via WMI, followed by PowerShell using Base64, Gzip, AES-CBC, and .NET reflection loading; the final dumped payload was identified as VIPKeylogger.
The malwareβs core behavior in the provided content is credential and information theft. Reported stolen data includes browser passwords, email credentials, FTP credentials, WinSCP secrets, and Outlook profile data. Exfiltration methods explicitly observed include Telegram, SMTP, and FTP. In one GuLoader-linked campaign, VIPKeylogger used the Telegram Bot API with bot token 8729572560:AAH7-pGiLevApfXHCGKQfSyCpF9fVTqxN9Q and chat ID 8277275661; the same broader operation also used FTP infrastructure at holzbrenzii[.]com (198[.]27[.]80[.]139), where investigators found an open directory listing exposing 52 stolen credential files from 27 victim machines, and a secondary FTP domain corwineagles[.]com (162[.]241[.]123[.]75). In the DHL-themed SnakeKeylogger/VIPKeylogger campaign, exfiltration occurred via SMTP to mail.miniorangeman.com:587 using result@miniorangeman.com with password bK6s^&G{UAh)Qh{7}, and via Telegram using an encrypted bot token. The SMTP server resolved to 185.196.9.150, while the campaign C2 used 144.172.105.88. In the Vietnam-themed case, the final payload reportedly sent collected victim information to an attacker-controlled address, though the destination was not specified in the provided content.
The content associates VIPKeylogger primarily with financially motivated, opportunistic phishing operations rather than an advanced persistent threat. One analyzed campaign primarily targeted Italian businesses but also affected international victims. Another campaign exploited Vietnamese tax-policy themes and impersonated the tax authority. Notable file and payload indicators directly mentioned in the content include the final dumped VIPKeylogger payload SHA-256 ef0556dc61ee9912ae1647e9dcbbdd8fbcbfb4f56e77241f2315a7ca4f20c845 from the Vietnam case; the Babel-obfuscated .NET payload SHA-256 240068f98bd3e3213351ebdac3a0e9657f9a17506e43425ea3ed19f14e17cf21 from the DHL-themed campaign; the Cloudinary carrier JPEG SHA-256 b23f06a5bf75ae2335bac792574cb3bc5fdc11755f5f4a75617eb99fd3a56104; and the initial VBScript dropper 17aaf09246b97db19f735f2fe9e26708.vbs.
C2 tracking
Derp observations, rolling seven-day window
Samples
MITRE ATT&CK
Reporting
This week was characterised by Password Stealers from the following families: AgentTesla, Bot_Rust, FormBook, PureHVNC, Remcos and VIPKeylogger.
20/05/2026 VIPKeylogger - spread through a campaign themed "Orders".
13/05/2026 VIPKeylogger - spread through a campaign themed: "Requests".
This week was dominated by Password Stealers from the following families: FormBook, PureHVNC, Remcos and VIPKeylogger.
TL;DR: A VIPKeylogger campaign (SnakeKeylogger variant) delivered via DHL-themed phishing uses a three-stage infection chain ... Stage 3: VIPKeylogger (SnakeKeylogger Variant) ... VIPKeylogger is a direct variant/rebrand of SnakeKeylogger (also known as 404 Keylogger) that uses dual-channel exfiltration -- both SMTP and Telegram simultaneously.
TL;DR: A VIPKeylogger campaign (SnakeKeylogger variant) delivered via DHL-themed phishing uses a three-stage infection chain ... Stage 3: VIPKeylogger (SnakeKeylogger Variant) ... VIPKeylogger is a direct variant/rebrand of SnakeKeylogger (also known as 404 Keylogger) that uses dual-channel exfiltration -- both SMTP and Telegram simultaneously.
Both samples use NSIS installer wrappers with multi-layer encrypted shellcode to deliver Agent Tesla (SMTP exfiltration) and VIPKeylogger (Telegram exfiltration).
The week was characterized by Password Stealer of the Families: FormBook, Remcos, VIPKeylogger and XWormRAT ... 18/03/2026 VIPKeylogger - spread through a campaign themed "Requests". 20/03/2026 VIPKeylogger - spread through a campaign themed "Requests".
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.