Security analysts have uncovered a sophisticated cyberattack cluster, leveraging heavily obfuscated Visual Basic Script (VBS) files to infiltrate networks and deploy mighty Remote Access Trojans (RATs).
The campaign, centred around a filename “sostener.vbs” Spanish for ‘sustain” affects 16 open directories across multiple hosts and networks, each serving as conduits for a multi-phase malware installation system.
The attack, largely automated, employs a three-stage progression: initial VBS script execution, PowerShell script generation, and ultimate RAT deployment to grant threat actors remote control over victim systems.
The campaign begins with the execution of heavily obfuscated VBS files, which range in size from 2 to 3 MB.
These scripts are cluttered with useless code comments and dead variable assignments, which can confound analysis.
At runtime, the “sostener.vbs” scripts dynamically generate and executes a PowerShell script by embedding a base64-encoded payload within a variable.
This method of payload encryption and transformation ensures that only advanced malware detection tools or manual analysis can spot the threat before it escalates.
Once the base64 payload is decoded, the resulting PowerShell script contacts various remote services, such as file hosting platforms, to download additional malicious components.
These include memory injectors and custom-built remote access trojans (RATs), such as LimeRAT, DCRat, AsyncRAT, and Remcos.
Some of these elements are cleverly hidden inside seemingly legitimate JPEG images on the Internet Archive or within plaintext files on platforms like paste[.]ee and Bitbucket.
The stager locates these payloads by searching for specific markers (e.g., “<<BASE64_START>>” and “<<BASE64_END>>”) within the image or text files, then decodes and loads them into memory.
The third stage sees the downloaded injector loading the RAT directly into the system’s memory, bypassing disk detection.
The most frequently encountered remote access tool (RAT) in this campaign is Remcos, which communicates with command-and-control (C2) servers using dynamic DNS domains (e.g., “duckdns[.]org”) to manage rotating IP addresses and evade network-based defenses.
Infrastructure overlap is evident, as multiple stage-one droppers frequently funnel into the same stage-two and stage-three components, with shared C2 servers and identical TLS certificate fingerprints providing clear links between seemingly disparate targets.
While definitive attribution remains challenging, the tactics, language, and infrastructure observed strongly suggest ties to APT-C-36 (Blind Eagle), a notorious Colombian threat actor known for similar campaigns.
However, analysts caution that confirmation is not possible without additional intelligence. Indicators of compromise (IOCs) include specific DNS domains (e.g., remc21.duckdns.org, sosten38999.duckdns.org, and others), TLS certificate fingerprints, and file hashes associated with each stage of the attack.
Security teams are urged to monitor for the presence of large, obfuscated VBS files and unexpected PowerShell activity, especially those related to the mentioned domains and platforms.
As the threat actors continue to evolve their techniques, organizations must prioritize endpoint protection, behavioral monitoring, and threat intelligence integration to stay ahead of this persistent and agile threat landscape.
This multi-phase attack, powered by obfuscated VBS files and culminating in advanced RAT deployments, underscores the evolving sophistication of cybercriminal groups.
Vigilance and robust security measures are essential for organizations seeking to defend against such complex, multi-stage intrusions.
| DNS | remc21[.]duckdns[.]org |
| DNS | sosten38999[.]duckdns[.]org |
| DNS | rem25rem[.]duckdns[.]org |
| DNS | trabajonuevos[.]duckdns[.]org |
| DNS | gotemburgoxm[.]duckdns[.]org |
| DNS | dcupdate[.]duckdns[.]org |
| DNS | dgflex[.]duckdns[.]org |
| DNS | purelogs2025[.]duckdns[.]org |
| DNS | romanovas[.]duckdns[.]org |
| TLS FP | 95f61fba6418c812c4c62d0c7ee4c8e5c369fc76e044cab6de3b6ddf787db2ed |
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…