MalwareUsed by 3 actors

Vbs-Crypter

Vbs-Crypter is a tool used to conceal, obfuscate, and pack Visual Basic Script (VBS) payloads. Reporting cited in the provided content describes overlaps between VBS code used by the Blind Eagle threat actor (also tracked as APT-C-36, APT-Q-98, and AguilaCiega) and Vbs-Crypter, including linkage to a subscription-based crypter service referred to as "Crypters and Tools." In the observed campaigns, VBS scripts were delivered via phishing infrastructure impersonating Colombian banks and other financial institutions, including Bancolombia, BBVA, Banco Caja Social, and Davivienda. These VBS payloads acted as loaders that retrieved encrypted executables from remote servers and deployed second-stage commodity RATs such as AsyncRAT and Remcos RAT. The activity targeted Colombian financial entities and organizations, and the associated infrastructure included DuckDNS subdomains resolving to 45.135.232.38, an IP reported as linked to the Proton66 bulletproof hosting service. High-confidence indicators and behaviors directly mentioned in the content include use of VBS loaders, phishing pages, DuckDNS subdomains, Proton66-linked infrastructure, retrieval of encrypted executables, and delivery of AsyncRAT and Remcos RAT as follow-on payloads.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT-C-36

"Such VBS codes were also discovered by researchers to be similar to the Vbs-Crypter tool meant to conceal VBS payloads."

via scworldscworld.com

APT-Q-98

"Such VBS codes were also discovered by researchers to be similar to the Vbs-Crypter tool meant to conceal VBS payloads."

via scworldscworld.com

AguilaCiega

"Such VBS codes were also discovered by researchers to be similar to the Vbs-Crypter tool meant to conceal VBS payloads."

via scworldscworld.com

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

scworldNews

Jul 1, 2025

New Blind Eagle attacks involve Proton66 hosting

Tool used to conceal/obfuscate VBS payloads; referenced as similar to the VBS code used in the campaign.

the hacker newsNews

Jun 30, 2025

Blind Eagle Uses Proton66 Hosting for Phishing, RAT Deployment on Colombian Banks

VBS-focused crypter/packer used to obfuscate and pack VBS payloads to evade detection.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.