SnakeKeylogger v4.4 Dual-Vector Campaign: Rotational XOR, Internet Archive Abuse, and an Operator Who Can't Stop Uploading Samples

TL;DR: Two SnakeKeylogger dropper samples -- a 1.1MB PowerShell script and a 1.2MB VBScript -- appeared on MalwareBazaar within 48 hours of each other, delivering the same infostealer family through operationally linked but technically distinct kill chains. The PS1 dropper uses a rotational XOR cipher with a non-linear key schedule to decrypt a .NET process hollower (DEV.dll) that injects SnakeKeylogger v4.4 into Aspnet_compiler.exe. The VBS dropper takes a different path entirely: it abuses Internet Archive as a payload staging platform, extracts a .NET loader (Fiber.Program) hidden inside a fake PNG, and hollows into RegAsm.exe. Both chains converge on the same exfiltration panel at 51.38.247.67:8081 backed by triple-redundant DDNS across three providers. The operator's OPSEC is a study in contradictions -- sophisticated encryption paired with hardcoded IPs and timestamped Internet Archive uploads.

---

Two Samples, Two Days, One Operator

This investigation started with a fresh MalwareBazaar upload: a 1.1MB PowerShell dropper tagged as SnakeKeylogger, submitted March 10, 2026, from a German origin. Most analysts would stop there -- SnakeKeylogger is commodity crimeware, after all. But pulling the thread led to a second sample uploaded just two days earlier: a 1.2MB VBScript dropper from Sweden that shares the same payload infrastructure but uses a completely different delivery mechanism.

Two droppers. Two scripting languages. Two process hollowing targets. Same operator, same panel, same campaign.

The question is not whether these are linked -- the shared C2 infrastructure makes that trivial -- but why an operator would maintain parallel delivery chains. The answer appears to be A/B testing at the delivery layer: iterate on the dropper, keep the payload constant.

The PowerShell Chain: Custom Crypto That Actually Works

The PS1 dropper (d1a0yc.Ps1) is the more technically interesting of the two. At 1.1MB, it is mostly ciphertext: a base64 here-string weighing in at 1.14 million characters, stored in a variable named $securecontainer.

Attribute	Value
SHA-256	7b2b9ea6e5cff58284987f53650c13bf0d724f9805baff80ea0396ca1dd255d7
MD5	2cb8030ff93885556ada3ed782889f0c
Size	1.1 MB
First Seen	2026-03-10
Origin	DE (Germany)

The encryption is where things get interesting. This is not your garden-variety single-byte XOR. The operator uses a 32-byte key (j60KTixM70ULTTcffGy/gv6W0rSzyf+UcrRAV+5VF14=) with a rotational key schedule that advances non-linearly:

for each byte at position i:
    key_position = (i + rotation_tracker) % key_length
    plaintext[i] = ciphertext[i] XOR key[key_position]
    rotation_tracker = (rotation_tracker + key[key_position]) % 7

That rotation_tracker is the clever part. After each decryption operation, the tracker advances by the plaintext byte value modulo 7, creating a feedback loop between the output and the key schedule. Standard frequency analysis -- the go-to technique for breaking XOR -- becomes ineffective because the key offset at position N depends on every decrypted byte before it. It is a small but meaningful step above the encryption quality you typically see in commodity droppers.

After decryption, the payload unpacks through three stages:

1. Layer 1: An Invoke-AssemblyExecution function plus a monitoring loop
2. DEV.dll: A 46KB .NET DLL that performs process hollowing (entry point: DEV.DOWN.SHOOT)
3. SnakeKeylogger v4.4: The 278KB final payload, injected into a hollowed Aspnet_compiler.exe

The process hollowing target is noteworthy: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe is a legitimate Microsoft binary that runs under the .NET Framework directory. To a casual observer (or an undertrained SOC analyst), a .NET process running from the Framework directory looks completely normal.

The VBScript Chain: When You Use the Wayback Machine as a CDN

The VBS dropper is operationally sloppier but more creative in its infrastructure abuse.

Attribute	Value
SHA-256	9f6057d2185a9b1f0dc11a37dbd6710da82af0a2625a4455da0941ea44e14d13
MD5	be8c95c50d3e0c635975d21de3b8d5b6
Size	1.2 MB
First Seen	2026-03-08
Origin	SE (Sweden)

The file opens with 7,946 lines of identical Unicode string concatenation -- a variable called choreomania being built up character by character in what amounts to pure padding. The actual payload is hex-encoded with Unicode delimiters scattered throughout, including characters like U+04DD, U+2A88, and the ever-popular U+1F4BA (a seat emoji, for some reason).

But the real story is the staging infrastructure. Instead of embedding the payload inline like the PS1 variant, the VBS dropper reaches out to Internet Archive -- yes, the Wayback Machine people -- to download its first-stage payload:

hxxps://ia601409[.]us[.]archive[.]org/19/items/optimized_msi_20260303_1054/optimized_MSI[.]png

A .NET assembly disguised as a PNG file, hosted on one of the most trusted domains on the internet. Most web proxies, content filters, and even some EDR products whitelist archive.org traffic. The operator uploaded this on March 3, 2026 at 10:54 -- we know the exact timestamp because Internet Archive helpfully encodes it in the item path (optimized_msi_20260303_1054). So much for operational security.

The download chain continues through a second stage hosted on ByetHost free hosting (teamnike[.]kesug[.]com), before loading a .NET assembly called Fiber.Program that process-hollows into RegAsm.exe -- a different .NET Framework binary than the PS1 chain uses, but serving the same purpose.

[VBS DELIVERY CHAIN]
Email/Download --> be8c95c5...vbs (1.2MB)
    |
    v
Unicode-padded hex encoding --> PowerShell command
    |
    v
WMI Win32_Process.Create --> powershell.exe -NoProfile -WindowStyle Hidden
    |
    v
Download from Internet Archive: optimized_MSI.png (actually .NET assembly)
    |
    v
Extract base64 between "IN-" and "-in1" markers, reverse, decode
    |
    v
Load Fiber.Program.Main() with args:
  - Stage 2 URL: teamnike.kesug.com/img_021628.png
  - Drop path: C:\Users\Public\Downloads\
  - Hollowing target: RegAsm.exe
  - Persistence: Scheduled task
    |
    v
SnakeKeylogger executes in hollowed RegAsm.exe

The base64 extraction technique deserves a note: the loader searches the downloaded "PNG" for content between the markers IN- and -in1, reverses the string, then base64-decodes it. String reversal as an obfuscation layer is about as old as malware itself, but combined with the marker-based extraction, it creates a format that is unlikely to trigger static analysis rules looking for standard base64 blobs.

The Payload: Everything Including Your WiFi Password

SnakeKeylogger v4.4 is a comprehensive infostealer. When we say comprehensive, we mean it steals from more software than most people have installed:

Browser Credential Theft (40+ targets)

Family	Browsers
Chromium	Chrome, Chrome Canary, Edge, Brave, Opera, Vivaldi, CentBrowser, Chedot, Xvast, SuperBird, GhostBrowser, Slimjet, Iridium, Orbitum, QQBrowser, Uran, CocCoc, Coowon, 360Browser, 360Chrome, Comodo Dragon, Torch, Blisk, Epic Privacy Browser, Nichrome, Amigo, Kometa, Xpom, Kinza, Sputnik, ChromePlus, QIP Surf, BlackHawk, 7Star, Citrio, Sleipnir, MapleStudio
Gecko	Firefox, Waterfox, SeaMonkey, Cyberfox, IceDragon, SlimBrowser, Pale Moon

Beyond Browsers

• Email clients: Outlook (Office 15.0/16.0), Foxmail, Thunderbird, Postbox
• FTP: FileZilla (recentservers.xml parsing)
• Discord: Local Storage/LevelDB token extraction
• Credit cards: SQLite parsing of Chromium Web Data database
• WiFi passwords: netsh wlan show profile key extraction
• Plus: keylogging (SetWindowsHookExA), clipboard capture, and periodic screenshots

The exfiltration is multi-channel, configured via flags in the encrypted config:

• %is_Panel% -- HTTP POST to _send_.php (plus specialized endpoints: P1.php for passwords, P2.php for keystrokes, P3.php for screenshots)
• %is_FTP% -- FTP STOR command
• %is_Telegram% -- Telegram Bot API (/sendMessage, /sendDocument)
• %is_Discord% -- Discord webhook

The anti-analysis features are standard for SnakeKeylogger: bot detection (EnabledAntiBot, BotDetected, $BotClean$) and a self-deletion command (cmd.exe /C choice /C Y /N /D Y /T 3 & Del) that uses the choice command with a 3-second timeout as a delay before deleting the executable.

C2 Infrastructure: Triple Redundancy, Single Point of Failure

The operator built redundancy into the C2 layer -- three dynamic DNS domains across three different providers, plus a hardcoded IP as a fallback:

Domain	Provider	Status
varders[.]kozow[.]com	Dynu (DDNS)	LIVE -- resolves to 192.169.69.26
aborters[.]duckdns[.]org	DuckDNS (DDNS)	DEAD -- no resolution
anotherarmy[.]dns[.]army	DNS.Army (DDNS)	DEAD -- no resolution
51[.]38[.]247[.]67 (hardcoded)	OVH SAS, France	OFFLINE -- all ports filtered

The DDNS provider diversity is a known SnakeKeylogger operator pattern -- spread your C2 across multiple free DNS services so that a takedown of one does not kill the entire operation. But the hardcoded OVH IP undermines all of that careful redundancy. Any network defender who finds the IP can block the panel directly, regardless of how many times the DDNS records rotate.

The panel itself runs on port 8081 with a standard SnakeKeylogger web interface: _send_.php as the main ingestion endpoint, with P1.php, P2.php, P3.php, and api.php handling specific data types. As of investigation time, the OVH IP has all ports filtered -- the operator has either rotated to new infrastructure or been taken down.

The one live domain (varders[.]kozow[.]com) resolves to 192[.]169[.]69[.]26, hosted by Stealthy Hosting in the US. This may represent the operator's current active infrastructure after the OVH panel went dark.

OPSEC: A Study in Contradictions

This operator's security posture is a split personality.

The good:

• Three DDNS providers for C2 redundancy
• Encrypted SnakeKeylogger configuration (TripleDES)
• Process hollowing into legitimate .NET binaries
• Rotational XOR with a non-linear key schedule (PS1 chain)
• Multiple fallback execution paths

The catastrophic:

• Hardcoded the C2 IP right next to the DDNS domains in plaintext .NET user strings
• Uploaded a payload to Internet Archive, which timestamps everything (optimized_msi_20260303_1054 = March 3, 2026, 10:54)
• Used ByetHost free hosting, which requires registration and leaves traces
• Submitted both dropper variants to MalwareBazaar within 48 hours, linking the two delivery chains
• Left all three C2 URLs in plaintext in the .NET strings heap alongside the encrypted config

The Internet Archive timestamp is particularly damaging. It gives defenders an exact window for when the operator was actively building infrastructure, which can be correlated against other uploads and registrations during that same period.

Same Operator: The Evidence

Attribute	PS1 Dropper	VBS Dropper
First Seen	2026-03-10	2026-03-08
Origin Country	DE (Germany)	SE (Sweden)
Obfuscation	Rotational XOR + base64	Unicode padding + hex encoding
Staging	Inline (no external download)	Internet Archive + ByetHost
Hollowing Target	Aspnet_compiler.exe	RegAsm.exe
.NET Loader	DEV.DOWN.SHOOT	Fiber.Program.Main
Execution	Direct PowerShell	WMI --> PowerShell
Final Payload	SnakeKeylogger v4.4	SnakeKeylogger (same family)
C2 Infrastructure	Shared	Shared

Assessment: HIGH confidence same operator. The shared C2 panel, the consistent use of .NET process hollowing (just into different targets), and the 48-hour upload gap all point to a single operator iterating on delivery mechanisms while keeping the backend constant. The different origin countries (Germany, Sweden) likely reflect different distribution vectors -- separate spam campaigns, VPN exit nodes, or compromised mail servers -- rather than different operators.

This looks like a mid-tier cybercriminal running the SnakeKeylogger builder (commercially available on underground forums for $40-100) with enough technical skill to customize the delivery layer but not enough discipline to keep operational details out of public view.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Execution	PowerShell	T1059.001	PS1 dropper executes via PowerShell
Execution	Visual Basic	T1059.005	VBS dropper with Unicode-padded hex encoding
Execution	Windows Management Instrumentation	T1047	WMI Win32_Process.Create spawns hidden PowerShell
Defense Evasion	Process Hollowing	T1055.012	Injection into Aspnet_compiler.exe / RegAsm.exe
Defense Evasion	Obfuscated Files or Information	T1027	Rotational XOR, Unicode padding, hex encoding
Defense Evasion	Deobfuscate/Decode Files	T1140	Multi-layer base64 + XOR decryption at runtime
Defense Evasion	Masquerading	T1036	Payload disguised as .png on Internet Archive
Command and Control	Dynamic Resolution: DNS	T1568.002	DuckDNS, Dynu, DNS.Army DDNS
Command and Control	Application Layer Protocol: HTTP	T1071.001	HTTP POST to panel endpoints on port 8081
Collection	Input Capture: Keylogging	T1056.001	SetWindowsHookExA keyboard hook
Collection	Clipboard Data	T1115	GetClipboardData monitoring loop
Collection	Screen Capture	T1113	Periodic screenshot module (PNG output)
Credential Access	Browser Credentials	T1555.003	40+ browser Login Data / Cookie / Web Data extraction
Credential Access	Email Credentials	T1555.005	Outlook, Foxmail, Thunderbird credential theft
Credential Access	Steal Application Access Token	T1528	Discord token extraction from LevelDB
Exfiltration	Exfiltration Over C2 Channel	T1041	HTTP POST, FTP STOR, Telegram Bot API, Discord webhook
Resource Development	Upload Malware	T1608.001	Internet Archive and ByetHost payload staging

Indicators of Compromise

File Indicators

# PS1 Dropper (d1a0yc.Ps1)
SHA256: 7b2b9ea6e5cff58284987f53650c13bf0d724f9805baff80ea0396ca1dd255d7
MD5:    2cb8030ff93885556ada3ed782889f0c
SHA1:   7d02ed1e8414578e0de1e7bb3f0cc5274fcafe3b

# VBS Dropper
SHA256: 9f6057d2185a9b1f0dc11a37dbd6710da82af0a2625a4455da0941ea44e14d13
MD5:    be8c95c50d3e0c635975d21de3b8d5b6
SHA1:   57d676bc50cda0a74a09846be77108f433e5236a

# DEV.dll (Process Hollower)
SHA256: 1c5c15bbed9b6056298187a2fe7d808d8ecc38db0b17c6b18250f9e521028f74
MD5:    b69f46bd7658a4b6f0c2090f342fb0e4
GUID:   55bef816-ffb4-4b4a-a91c-15abf1e81cb2

# SnakeKeylogger v4.4 Final Payload
SHA256: 580208dc3ab732da63205c34e6b98e11810f5d17d6b602ff9d1029873d418474
MD5:    a1d82a4559bb35d8871d0354e0b7f5ee

Network Indicators

# C2 Domains (defanged)
varders[.]kozow[.]com
aborters[.]duckdns[.]org
anotherarmy[.]dns[.]army
teamnike[.]kesug[.]com

# C2 IPs (defanged)
51[.]38[.]247[.]67
192[.]169[.]69[.]26

# C2 URLs (defanged)
hxxp://varders[.]kozow[.]com:8081
hxxp://aborters[.]duckdns[.]org:8081
hxxp://anotherarmy[.]dns[.]army:8081
hxxp://51[.]38[.]247[.]67:8081/_send_[.]php

# Staging URLs (defanged)
hxxps://ia601409[.]us[.]archive[.]org/19/items/optimized_msi_20260303_1054/optimized_MSI[.]png
hxxps://teamnike[.]kesug[.]com/img_021628[.]png

# IP Check / GeoIP (used by payload)
hxxp://checkip[.]dyndns[.]org/
hxxps://reallyfreegeoip[.]org/xml/

Behavioral Indicators

# Process hollowing targets
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

# User-Agent (hardcoded, outdated -- easy detection pivot)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)

# File system artifacts
C:\Users\Public\Downloads\  (VBS chain drop directory)
\VIPRecovery\  (credential dump directory)

# Self-deletion command
cmd.exe /C choice /C Y /N /D Y /T 3 & Del "<self>"

# .NET Assembly identifiers
DEV.DOWN.SHOOT (PS1 chain entry point)
Fiber.Program.Main (VBS chain loader)
aaalogshsindgdaLogndta (SnakeKeylogger crypto class)
Remington.Resources (resource namespace)

# Encryption key (PS1 dropper)
j60KTixM70ULTTcffGy/gv6W0rSzyf+UcrRAV+5VF14=
Hex: 8fad0a4e2c4cef450b4d371f7c6cbf82fe96d2b4b3c9ff9472b44057ee55175e

Recommended Actions

Immediate (24-48 hours)

• Block all C2 domains and IPs listed above at the network perimeter (firewall, proxy, DNS sinkhole)
• Search EDR telemetry for Aspnet_compiler.exe and RegAsm.exe spawned as child processes of PowerShell or WScript
• Hunt for the Internet Explorer 6 User-Agent string in proxy logs -- nobody is legitimately browsing with IE6 on Windows Server 2003 in 2026
• Search email gateway logs for .ps1 and .vbs attachments exceeding 1MB

Short-term (1-2 weeks)

• Deploy YARA rules keyed on the DEV.dll GUID (55bef816-ffb4-4b4a-a91c-15abf1e81cb2) and the SnakeKeylogger crypto class name (aaalogshsindgdaLogndta)
• Review any hosts that contacted checkip.dyndns.org or reallyfreegeoip.org/xml/ -- these are standard SnakeKeylogger IP enumeration endpoints and should not appear in normal enterprise traffic
• Monitor for new subdomains on kozow.com, duckdns.org, and dns.army that resolve to the same IP ranges
• Submit IOCs to your organizational threat intelligence platform and any ISACs you participate in

Medium-term (1-3 months)

• Enable PowerShell Constrained Language Mode and Script Block Logging across endpoints
• Block WMI process creation from VBScript and JScript engines via attack surface reduction rules
• Implement application control policies to prevent unauthorized .NET assembly loading from non-standard paths
• Monitor Internet Archive downloads for files with executable content-types or PE headers disguised as images -- this staging technique will be reused

References

• MalwareBazaar PS1: https://bazaar.abuse.ch/sample/7b2b9ea6e5cff58284987f53650c13bf0d724f9805baff80ea0396ca1dd255d7/
• MalwareBazaar VBS: https://bazaar.abuse.ch/sample/9f6057d2185a9b1f0dc11a37dbd6710da82af0a2625a4455da0941ea44e14d13/
• CAPE Sandbox VBS: https://www.capesandbox.com/analysis/56632/
• CERT-PL MWDB VBS: https://mwdb.cert.pl/sample/9f6057d2185a9b1f0dc11a37dbd6710da82af0a2625a4455da0941ea44e14d13/
• SnakeKeylogger Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

---

Published by Breakglass Intelligence. Investigation conducted 2026-03-10. 2 dropper variants linked. 4 payload hashes extracted. 3 DDNS providers mapped. 1 operator with a timestamp problem. Classification: TLP:CLEAR