Full Report
Operation DualScript – A Multi-Stage PowerShell Malware Campaign Targeting Cryptocurrency and Financial Activity Introduction During our investigation, we identified a multi-stage malware infection leveraging Scheduled Task persistence, VBScript launchers, and PowerShell-based execution. The attack operates through two parallel chains: a web-based PowerShell loader that retrieves remote payloads and a secondary PowerShell loader chain that executes […] The post Operation DualScript – A Multi-Stage PowerShell Malware Campaign Targeting Cryptocurrency and Financial Activity appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Tool/Technique: Operation DualScript
## Overview
Operation DualScript is a sophisticated multi-stage malware campaign designed to target cryptocurrency and financial activities. The attack utilizes a dual-path execution strategy: one chain focuses on web-based PowerShell loaders for cryptocurrency clipboard hijacking, while the second chain deploys "RetroRAT," a remote access trojan used for system monitoring and data exfiltration. The campaign heavily leverages living-off-the-land (LotL) techniques, such as VBScript launchers and in-memory PowerShell execution, to minimize its footprint on the disk.
## Technical Details
- **Type:** Malware Family (RetroRAT) & Multi-Stage PowerShell Campaign
- **Platform:** Windows
- **Capabilities:** Remote Command Execution (RCE), Clipboard Hijacking (Crypto), Information Stealing, Keylogging, Screen Capture, Persistence.
- **First Seen:** March 2026 (Reported date)
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.005 - Command and Scripting Interpreter: VBScript
- **TA0003 - Persistence**
- T1053.005 - Scheduled Task/Job: Scheduled Task
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1562.001 - Impair Defenses: Disable or Modify Tools (Execution Policy Bypass)
- **TA0006 - Credential Access**
- T1056 - Input Capture
- **TA0007 - Discovery**
- T1057 - Process Discovery
- **TA0009 - Collection**
- T1115 - Clipboard Data
- T1056.001 - Input Capture: Keylogging
- T1113 - Screen Capture
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Web Protocols)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Parallel Execution Chains:** Operates two distinct infection paths to deliver different payloads simultaneously.
- **Persistent Access:** Uses Scheduled Tasks targeting user-writable directories to ensure re-execution after reboot.
- **In-Memory Execution:** Leverages `[ScriptBlock]::Create().Invoke()` to execute PowerShell code directly in RAM, avoiding file-based detection.
- **Single-Instance Check:** Uses WMI process enumeration to ensure only one instance of the malware runs at a time.
- **Cryptocurrency Hijacking:** Monitors the system clipboard for cryptocurrency wallet addresses and replaces them with attacker-controlled addresses.
### Advanced Features
- **Remote Payload Updates:** The web-based loader retrieves `Wallet.txt` via HTTP, allowing attackers to update the malware's logic or commands without re-infecting the host.
- **Full System Surveillance:** Through RetroRAT, attackers can log keystrokes, capture screenshots, and monitor specific financial activities.
- **Evasion:** Uses execution policy bypass and hidden window modes to run scripts silently.
## Indicators of Compromise
### File Hashes (MD5)
- **RetroRAT:** `7546ada1e3144371724db209ba4c5f37`
- **PiceVid.ps1:** `173b27e7541427929da72ebf37c6db8e`
- **PiceVid.vbs:** `243af69d85550232da45f5a30703a4a3`
- **ppamproServiceZuneWAL.ps1:** `43cac07a501e7a717023e0fa8f6111e0`
- **ppamproServiceZuneWAL.vbs:** `163c38bd7ff7dd27e88eaef1a7a4819f`
- **Wallet.txt:** `1dc82fd02a0db3e338128b6f587d7122`
### File Names
- `PiceVid.vbs` / `PiceVid.ps1`
- `ppamproServiceZuneWAL.vbs` / `ppamproServiceZuneWAL.ps1`
- `Wallet.txt`
### Network Indicators
- `hxxps://anycourse[.]net/wp-content/uploads/2025/04/Wallet[.]txt`
- `info[.]1cooldns[.]com`
- `floatsdk[.]1cooldns[.]com`
- `thewpiratebay[.]st`
### Behavioral Indicators
- Scheduled tasks launching `wscript.exe` or `cscript.exe` from user-writable profiles (Appdata/Local/Temp).
- PowerShell processes spawned with `-ExecutionPolicy Bypass -WindowStyle Hidden`.
- Periodic WMI queries for running processes (`Select * From Win32_Process`).
## Associated Threat Actors
- Unknown (The report does not link the campaign to a specific attributed group, but notes the focus on financial and cryptocurrency theft).
## Detection Methods
- **Behavioral Detection:** Monitor for unauthorized creation of Scheduled Tasks and parent-child process relationships involving `wscript.exe` spawning `powershell.exe`.
- **PowerShell Logging:** Enable Script Block Logging (ID 4104) to capture the de-obfuscated code executed in memory.
- **Network Monitoring:** Alert on connections to known low-reputation DDNS providers like `1cooldns.com`.
- **Signature-based:** Security products should look for the specific MD5 hashes provided above.
## Mitigation Strategies
- **Scripting Restrictions:** Restrict or disable VBScript (`.vbs`) and PowerShell execution for standard users.
- **Constrained Language Mode:** Enforce PowerShell Constrained Language Mode to limit the environment's capability.
- **Task Scheduler Hardening:** Monitor and restrict the ability of non-admin users to create scheduled tasks.
- **Environment Hardening:** Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized scripts and Living-off-the-Land binaries.
## Related Tools/Techniques
- **RetroRAT:** The primary RAT used in this campaign.
- **Clipboard Hijacking:** Common technique used by crypto-drainers.
- **Living-off-the-Land (LoLBins):** Reliance on `wscript`, `powershell`, and `schtasks`.