Multi-stage malware delivery chains distributing XWorm and other RATs
Researchers reported evolving multi-stage, script-heavy infection chains used to deliver remote access trojans, including XWorm, AsyncRAT, and Xeno RAT. Securonix described a campaign dubbed VOID#GEIST that starts from phishing-delivered batch scripts fetched from TryCloudflare infrastructure, then chains additional batch/PowerShell stages, deploys a legitimate embedded Python runtime, decrypts shellcode, and executes it filelessly by injecting into explorer.exe using Early Bird APC injection, reducing disk artifacts and making each stage appear benign in isolation.
Separately, SANS ISC documented another XWorm wave using an obfuscated JavaScript-to-PowerShell loader chain that drops a temporary PowerShell script (e.g., C:\Temp\ps_...ps1), decodes additional in-memory PowerShell, and uses a DLL exporting ProcessHollowing to inject the XWorm client into a .NET compiler process. The write-up included configuration and IOCs such as a C2 endpoint 204[.]10[.]160[.]190:7003, mutex Cqu1F0NxohroKG5U, and multiple SHA-256 hashes for the JavaScript, PowerShell, DLL loader, and XWorm payload, indicating continued high-volume distribution with frequently changing delivery techniques.
Sources
Related Stories
Multi-stage malware campaigns using fileless loaders, RATs, and evasion techniques
Multiple reports detail **distinct, unrelated malware families and delivery chains** rather than a single shared incident. One analysis covers **NotOpenClaw**, a Windows malware loader distributed via **fake “OpenClaw” installers** (including GitHub-hosted lures) and emphasizing **VM/sandbox evasion**; the sample analyzed was tagged with stealer-related indicators (e.g., VidarStealer) and was previously referenced in third-party reporting about fake OpenClaw installers deploying additional malware. Separate research describes two different fileless/backdoor operations: **HellsUchecker**, a small native x64 backdoor delivered through a **10-stage chain** beginning with a **ClickFix** fake Cloudflare CAPTCHA that tricks users into pasting an obfuscated Run command, using a LOLBin to fetch payloads over **finger (TCP/79)** and retrieving encrypted C2 configuration from a **BNB Smart Chain** smart contract ("EtherHiding"), culminating in an **in-memory** final payload using **Hell’s Gate** direct syscalls; and **GhostWeaver**, a **fileless PowerShell RAT** that selects persistence based on the installed AV product, uses **TLS over TCP/25658**, and relies on multiple **DGA** routines for delivery and C2. A separate brief reports the **VOID#GEIST** campaign delivering **XWorm**, **AsyncRAT**, and **Xeno RAT** via phishing, batch scripts from **TryCloudflare** domains, staged ZIP payloads, Python-based decryption/execution, and abuse of `AppInstallerPythonRedirector.exe` to facilitate additional RAT deployment.
5 days ago
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
1 months ago
Phishing and Trojanized Installers Deliver Remote Access Trojans via Multi-Stage, Evasion-Focused Infection Chains
Multiple active malware campaigns are delivering **remote access trojans (RATs)** using deceptive lures and multi-stage execution chains designed to evade endpoint defenses. Malwarebytes reported a campaign dubbed **DEAD#VAX** that distributes a file masquerading as a “PDF” but actually delivered as a **virtual hard disk (`.vhd`)** hosted via **IPFS**; when opened, Windows mounts the VHD and the victim is tricked into launching a **Windows Script File (`.wsf`)** that ultimately deploys **AsyncRAT**. The chain includes anti-analysis checks and **process injection** into Microsoft-signed binaries such as `RuntimeBroker.exe`, `OneDrive.exe`, `taskhostw.exe`, and `sihost.exe`, enabling hands-on-keyboard remote control while minimizing obvious on-disk artifacts. Separately, reporting described **DesckVB RAT v2.9**, a modular **.NET** RAT using an obfuscated **WSH JavaScript** stager followed by **PowerShell**-based anti-analysis checks and an in-memory (“fileless”) loader, emphasizing persistence and a plugin-based architecture for post-compromise capabilities. Another campaign distributes **ValleyRAT** disguised as a legitimate *LINE* installer, targeting **Chinese-speaking users**; it attempts to weaken defenses by using PowerShell to add broad **Windows Defender exclusions**, performs sandbox checks (e.g., mutex/file-locking behaviors), and uses advanced injection (reported as **PoolParty Variant 7** via Windows I/O completion ports) to hide within trusted processes while stealing credentials and maintaining C2 communications.
1 months ago