Behind the Code: The Layered Defense-Evasion of VIP Keylogger

    Thursday, May 21, 2026 In: Threat Research Print

    Date: 05/21/2026

    Severity: Medium

    Summary

    In recent years, the threat landscape has shifted as info stealers and keyloggers become dominant malware payloads. Whether acting alone or as loaders for broader attacks, these tools efficiently harvest sensitive data. VIP Keylogger exemplifies this threat, leveraging phishing and evasion tactics to bypass security controls. The Threat Research Team analyzed this malware family and its obfuscated script loader. This post breaks down the specific tactics, techniques, and steganography extracted during our research. Use these insights to build robust detections and improve your proactive threat-hunting efforts.

    Indicators of Compromise (IOC) List

    Hash : 

    95e6c6c13f65217f41c371abf6d03594b2bfed2259a1813bb4222fb2d3c32745

    07ee41817b9f338719bea03676ab607349cc3accba0dddb800f6276a01cfdd9f

    2df582bb41d1e6f0a6d44e8dbc1d8bca8e3d332bb268685b9dfc381a566c63a6

    8d1f59c65ebe64d0e817ffe7ecbf1d5a4bc3768d896c934b00dfd57263c3fe15

    8d5de337baa0b0938e4283324d3b1e8ccbdeed694aab3b6118910476200c621b

    14b25dfcc6e7f69992b3f5543bcc9ebe86bd0b682e211f49cb62c019d8e9bc4d

    28613bfb4e866186133235a88e318df3059b01001f297ad6a524eab0885305a5

    d2ab8dcab70822c839912cb672e93de459e5608bea210c78a1be56b54cbd8f81

    14b25dfcc6e7f69992b3f5543bcc9ebe86bd0b682e211f49cb62c019d8e9bc4d

    9bca7a3ac404807c63670141a3459eac24450e0cffbe1066cd3c8b503a917170

    9905c76ccf4ebdd12e1df63047a3206026073781d885165e82d298656b5f4937

    927c6d68f6413e437e4a919b2007f6a2ade32be71f80467856ce19a0325b63eb

    ae6918bfe8774e1ec1ec34f3db26e7e548dd0dc33a4e6fa80970e0bd2ba7ad9d

    a2862e4d2c722c7bfc86aa6c2c589455659b7a4ce6bb15ae55706df40e0f1f4e

    cbdecb69250504d0b00bf3a9ac2209e3f6000553aa0e8980489b8d88106af6b7

    b79d5ad4a4b03f9b153d27d356c6e62648fa87c2c378af407b894ed66119b921

    2801ccd00ad4c93afcc23b9f8e5f56a8ddef81c1f4b331978d9b288a69f8ce4d

    93cca0789e92ef11ccc9abd411bdc621a34138aaee4db3241f5266bccc7eac78

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1 :

    sha256hash IN ("8d5de337baa0b0938e4283324d3b1e8ccbdeed694aab3b6118910476200c621b","28613bfb4e866186133235a88e318df3059b01001f297ad6a524eab0885305a5","07ee41817b9f338719bea03676ab607349cc3accba0dddb800f6276a01cfdd9f","927c6d68f6413e437e4a919b2007f6a2ade32be71f80467856ce19a0325b63eb","b79d5ad4a4b03f9b153d27d356c6e62648fa87c2c378af407b894ed66119b921","ae6918bfe8774e1ec1ec34f3db26e7e548dd0dc33a4e6fa80970e0bd2ba7ad9d","9905c76ccf4ebdd12e1df63047a3206026073781d885165e82d298656b5f4937","a2862e4d2c722c7bfc86aa6c2c589455659b7a4ce6bb15ae55706df40e0f1f4e","95e6c6c13f65217f41c371abf6d03594b2bfed2259a1813bb4222fb2d3c32745","14b25dfcc6e7f69992b3f5543bcc9ebe86bd0b682e211f49cb62c019d8e9bc4d","9bca7a3ac404807c63670141a3459eac24450e0cffbe1066cd3c8b503a917170","2801ccd00ad4c93afcc23b9f8e5f56a8ddef81c1f4b331978d9b288a69f8ce4d","93cca0789e92ef11ccc9abd411bdc621a34138aaee4db3241f5266bccc7eac78","8d1f59c65ebe64d0e817ffe7ecbf1d5a4bc3768d896c934b00dfd57263c3fe15","2df582bb41d1e6f0a6d44e8dbc1d8bca8e3d332bb268685b9dfc381a566c63a6","d2ab8dcab70822c839912cb672e93de459e5608bea210c78a1be56b54cbd8f81","cbdecb69250504d0b00bf3a9ac2209e3f6000553aa0e8980489b8d88106af6b7")

    Reference:    

    https://www.splunk.com/en_us/blog/security/behind-the-code-layered-defense-evasion-vip-keylogger.html       


    Tags

    MalwarePhishingKeyloggerObfuscationSteganographyInfostealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.