"cunning VBScript"
If Visual BASIC is your threat, then dump BASIC! As for hiding something within another process, that's sort of old hat. Also, for naming their files to "blend in" with Windows, what did they expect? A file name of "EvilL33tCodzHere.dll"? That's another trick that's very old hat.
Really, the only part here that required effort was the attackers writing their own in-memory loader. The rest of it was just going through the motions.
Biting the hand that feeds IT
