Analytics Story: VIP Keylogger

Date: 2026-04-16 ID: 98bd9f3b-79e5-4c68-9da8-5529acded365 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections that help security analysts identify endpoint activity that may be associated with VIP Keylogger, a .NET-based information stealer and keylogger spread through spear-phishing and impersonation-themed campaigns (for example lures that mimic trusted organizations or urgent business documents). The malware is built to harvest sensitive data from the victim system and often relies on defense evasion patterns common to modern crimeware, including abuse of trusted Windows and .NET binaries and stealthy persistence. The searches in this story focus on behavioral signals—such as unusually large values written under user environment-related registry keys and execution of common .NET-related utilities from script parents in low-trust locations—that can indicate this family or closely related .NET stealers. These analytics are useful for triage and hunting because VIP Keylogger shares substantial overlap in tradecraft and tooling with other subscription-style .NET infostealers, notably Snake Keylogger, including comparable credential-theft goals, delivery themes, and overlapping technical classifications in open-source intelligence.

Why it matters

VIP Keylogger is a .NET information stealer and keylogger sold and distributed in crimeware ecosystems.

Public reporting describes distribution through targeted email with malicious attachments or archives, often using social engineering that impersonates real organizations or urgent business processes—themes that echo broader malspam and spear-phishing tradecraft seen across EU- and sector-focused campaigns.

Once executed, the malware aims to collect credentials, clipboard content, system and user context, and other data useful for fraud or follow-on access, while employing techniques designed to blend in with normal Windows activity.

From a technical perspective, VIP Keylogger activity often aligns with behaviors analysts associate with other .NET stealers.

Researchers and sandboxes frequently highlight abuse of trusted processes, layered loaders or packers, and persistence or configuration touches that show up in endpoint telemetry—patterns that resemble Snake Keylogger and similar families.

Snake Keylogger is also a .NET-centric stealer with a long track record in commodity campaigns; both families emphasize credential and browser-adjacent theft, may share overlapping implementation idioms (managed code, obfuscation, common exfil channels such as SMTP or web APIs depending on the build), and are sometimes discussed in the same breath because samples or campaigns can exhibit comparable indicators and classification overlap.

Treating VIP Keylogger in the same analytic lane as Snake Keylogger therefore improves detection economics: behavioral hunts for .NET proxy execution, suspicious script-driven binary invocation, and persistence anomalies can surface multiple related strains—not just a single hash.

The Splunk detections linked to this story are chosen to catch durable behaviors rather than brittle file names.

Unusually large data written under user Environment registry paths can reflect staging of payloads, paths, or encoded configuration for persistence and execution.

Execution of well-known .NET-related utilities when the parent appears to be a script launched from user-writable or non-standard locations is consistent with signed-binary proxy execution tradecraft (MITRE ATT&CK T1218) seen in stealer and loader workflows. Together, these analytics support early detection, scoping, and correlation with phishing-led intrusions that aim to steal credentials at scale.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Executables Or Script Creation In Temp Path	Masquerading	Anomaly
Hiding Files And Directories With Attrib exe	Windows Permissions	TTP
Logon Script Event Trigger Execution	Logon Script (Windows)	TTP
Non Chrome Process Accessing Chrome Default Dir	Credentials from Web Browsers	Anomaly
Non Firefox Process Access Firefox Profile Dir	Credentials from Web Browsers	Anomaly
PowerShell Environment Variable Execution	PowerShell	Anomaly
Powershell Fileless Script Contains Base64 Encoded Content	Obfuscated Files or Information, PowerShell	TTP
PowerShell Loading DotNET into Memory via Reflection	PowerShell	Anomaly
PowerShell PInvoke Process Injection API Chain	Dynamic-link Library Injection, Thread Execution Hijacking, Asynchronous Procedure Call, Process Hollowing, Process Doppelgänging, PowerShell, Reflective Code Loading	TTP
Recon Using WMI Class	Gather Victim Host Information, PowerShell	Anomaly
Windows Anomalous Registry Value Length in Environment Key	Modify Registry	Anomaly
Windows Credential Access From Browser Password Store	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome LocalState Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome Login Data Access	Query Registry	Anomaly
Windows Powershell Cryptography Namespace	PowerShell	Anomaly
Windows Proxy Execution of .NET Utilities via Scripts	System Binary Proxy Execution	Anomaly
Windows Screen Capture in TEMP folder	Screen Capture	TTP
Windows Suspicious Process File Path	Create or Modify System Process, Match Legitimate Resource Name or Location	TTP
Windows System Network Connections Discovery Netsh	System Network Connections Discovery	Anomaly
Windows Time Based Evasion via Choice Exec	Time Based Checks	Anomaly
Windows Unsecured Outlook Credentials Access In Registry	Unsecured Credentials	Anomaly
Windows Unusual Process Load Mozilla NSS-Mozglue Module	CMSTP	Anomaly
Wscript Or Cscript Suspicious Child Process	Process Injection, Parent PID Spoofing, Create or Modify System Process	Anomaly
Windows DNS Query Request by Telegram Bot API	DNS, Bidirectional Communication	Anomaly
Windows Gather Victim Network Info Through Ip Check Web Services	IP Addresses	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Powershell Script Block Logging 4104	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 22	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4663	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`

References

Source: GitHub | Version: 1