VERY IMPORTANT

This analysis examines PSLoramyra, an advanced fileless malware loader that utilizes PowerShell, VBS, and BAT scripts to inject and execute malicious payloads directly in memory. The infection chain begins with an initial PowerShell script that generates three critical files: roox.ps1, roox.bat, and roox.vbs. The loader establishes persistence through Windows Task Scheduler, running roox.vbs every two minutes. PSLoramyra employs stealthy execution techniques, including hidden windows and bypassing execution policies. The main payload is deobfuscated, loaded into memory using .NET Reflection, and executed via RegSvcs.exe. This sophisticated approach allows PSLoramyra to evade traditional detection methods, making it a significant threat.