EXECUTIVE SUMMARY:
This analysis describes a lightweight Visual Basic Script (VBS)-based infostealer that uses native scripting and ephemeral PowerShell helpers to gather host and browser metadata, capture screen images, and transmit collected material to an external messaging-platform webhook. The actor’s delivery vector was a script payload that runs under the standard script host, spawns hidden PowerShell processes, and checks for PowerShell availability before executing collection modules. A local log file is created in the temporary folder to track execution milestones. Affected systems are Windows hosts that permit script execution and PowerShell, including user workstations and servers where scripts are not blocked by policy. The potential business impact is loss of sensitive user and system information, screenshots containing confidential material, and reconnaissance data that can feed follow-on attacks; critical assets that rely on endpoint confidentiality and privacy controls are most at risk..
The payload operates as a VBS script that performs environment checks, writes execution milestones into a temp log, and spawns short-lived PowerShell modules to perform focused collection tasks. Key components include a module that queries Windows Management Instrumentation to harvest OS caption, username, and host name; a browser metadata module that creates and executes a transient PowerShell script to parse browser profile metadata from local configuration files and a diagnostic module that creates another transient PowerShell script to capture a full-desktop screenshot using .NET assemblies. The screenshot module compresses images to control size and checks the target platform’s upload limit before transmission. For transport, the script uses native HTTP objects to POST JSON payloads to an external messaging-platform webhook endpoint and uses a distinctive User-Agent string to identify the client. Execution is repeatedly performed on a timed loop that sleeps for one hour between cycles, producing ongoing collection while the process persists in memory. The script launches PowerShell with flags that bypass execution policy and hide windowed execution, and it implements fallback HTTP objects and logging for reliability. Notably, the sample omits credential decryption routines and does not use encrypted command channels; it is lightweight by design and appears oriented toward initial reconnaissance and rapid data capture.
Observed impacts are focused on disclosure of system metadata, browser profile information, and periodic screen captures sent to an external webhook, enabling visibility into user activity and local system state. The sample’s lightweight design and use of native scripting and ephemeral PowerShell helpers make it easy to run on permissive systems and suitable for rapid footprinting or second-stage reconnaissance. While it lacks robust features such as persistent autostart across reboots, encrypted communications, or direct credential extraction, its ability to collect and exfiltrate screenshots and profile metadata via an allowed web channel provides material that can be leveraged for targeted follow-on operations. In the broader threat landscape this sample represents a class of script-based infostealers that favor simplicity and abuse of common tooling and allowed web endpoints to avoid complex infrastructure, demonstrating that low-sophistication tools can still yield effective intelligence against misconfigured or permissive endpoints.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Reconnaissance | T1595 | Active Scanning | — |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Discovery | T1082 | System Information Discovery | — |
| Collection | T1113 | Screen Capture | — |
| T1005 | Data from Local System | — | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1567.002 | Exfiltration Over Web Service | Exfiltration to Cloud Storage |
| Impact | T1536 | Exfiltration/Disclosure | — |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Execution | E1059 | Command and Scripting Interpreter |
| Persistence | F0012 | Registry Run Keys |
| Defense Evasion | E1027 | Obfuscated Files/Information |
| F0005 | Hidden Files/Directories | |
| Discovery | E1082 | System Information Discovery |
| Collection | E1083 | File/Directory Discovery |
| Credential Access | E1055 | Process Injection |
| Exfiltration | E1020 | Automated Exfiltration |
| Command & Control | C0002 | HTTP Communication |
REFERENCES:
The following reports contain further technical details: