Multi-stage malware delivery chains distributing XWorm and other RATs
Researchers reported evolving multi-stage, script-heavy infection chains used to deliver remote access trojans, including XWorm, AsyncRAT, and Xeno RAT. Securonix described a campaign dubbed VOID#GEIST that starts from phishing-delivered batch scripts fetched from TryCloudflare infrastructure, then chains additional batch/PowerShell stages, deploys a legitimate embedded Python runtime, decrypts shellcode, and executes it filelessly by injecting into explorer.exe using Early Bird APC injection, reducing disk artifacts and making each stage appear benign in isolation.
Separately, SANS ISC documented another XWorm wave using an obfuscated JavaScript-to-PowerShell loader chain that drops a temporary PowerShell script (e.g., C:\Temp\ps_...ps1), decodes additional in-memory PowerShell, and uses a DLL exporting ProcessHollowing to inject the XWorm client into a .NET compiler process. The write-up included configuration and IOCs such as a C2 endpoint 204[.]10[.]160[.]190:7003, mutex Cqu1F0NxohroKG5U, and multiple SHA-256 hashes for the JavaScript, PowerShell, DLL loader, and XWorm payload, indicating continued high-volume distribution with frequently changing delivery techniques.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Securonix discloses VOID#GEIST campaign delivering multiple RATs
Securonix Threat Research disclosed a multi-stage malware campaign dubbed VOID#GEIST that used phishing-delivered batch scripts, TryCloudflare-hosted infrastructure, staged Python components, and fileless shellcode execution via Early Bird APC injection into explorer.exe. The campaign was reported as delivering payloads associated with XWorm, Xeno RAT, and AsyncRAT, though specific victims were not identified.
XWorm 6.4 multi-stage campaign observed in the wild
A new XWorm malware wave was observed using an obfuscated JavaScript-to-PowerShell infection chain that staged additional payloads in memory and ultimately injected the XWorm client into the .NET compiler process. Analysis identified XWorm version 6.4, an install filename of "USB.exe," a mutex, an AES key, and a command-and-control endpoint at 204.10.160.190:7003.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multi-stage malware campaigns using fileless loaders, RATs, and evasion techniques
Multiple reports detail **distinct, unrelated malware families and delivery chains** rather than a single shared incident. One analysis covers **NotOpenClaw**, a Windows malware loader distributed via **fake “OpenClaw” installers** (including GitHub-hosted lures) and emphasizing **VM/sandbox evasion**; the sample analyzed was tagged with stealer-related indicators (e.g., VidarStealer) and was previously referenced in third-party reporting about fake OpenClaw installers deploying additional malware. Separate research describes two different fileless/backdoor operations: **HellsUchecker**, a small native x64 backdoor delivered through a **10-stage chain** beginning with a **ClickFix** fake Cloudflare CAPTCHA that tricks users into pasting an obfuscated Run command, using a LOLBin to fetch payloads over **finger (TCP/79)** and retrieving encrypted C2 configuration from a **BNB Smart Chain** smart contract ("EtherHiding"), culminating in an **in-memory** final payload using **Hell’s Gate** direct syscalls; and **GhostWeaver**, a **fileless PowerShell RAT** that selects persistence based on the installed AV product, uses **TLS over TCP/25658**, and relies on multiple **DGA** routines for delivery and C2. A separate brief reports the **VOID#GEIST** campaign delivering **XWorm**, **AsyncRAT**, and **Xeno RAT** via phishing, batch scripts from **TryCloudflare** domains, staged ZIP payloads, Python-based decryption/execution, and abuse of `AppInstallerPythonRedirector.exe` to facilitate additional RAT deployment.
Mar 21, 2026
XWorm campaigns used AMSI bypasses and linked malware delivery to carding operations
Researchers detailed two XWorm delivery operations that relied on multi-stage loaders, in-memory execution, and **AMSI bypasses** to evade detection. In one campaign attributed to **TAG-124**, compromised legitimate websites redirected selected victims into a PowerShell chain that patched `clr.dll` to disable `AmsiScanBuffer`, suppressed PowerShell history, disabled ETW, fingerprinted hosts, and pulled an XOR-encrypted payload from `sellmeyourbiz[.]com`, ultimately delivering **XWorm RAT**. Breakglass reported low initial detection rates and observed victim-specific beaconing under `/customers/`, with encoded host details including hostname, domain, username, process ID, campaign ID, and hardware UUID. A separate three-stage intrusion used a VBScript lure, `Projet20Immobilier.vbs`, masquerading as a French real-estate document to deploy **XWorm V5.6** through a .NET loader and process injection into `InstallUtil.exe`. Breakglass assessed the operator was likely Brazilian based on Portuguese-language code artifacts and found the same infrastructure also hosted a Portuguese carding marketplace, **Iluminat Store infosCC**, suggesting a vertically integrated criminal pipeline that steals credentials and payment data with XWorm and monetizes them directly through fraud services. The malware infrastructure included servers on DigitalOcean and Contabo, and the sample used the default XWorm encryption key `<123456789>`, exposing weak operator OPSEC despite capabilities that included keylogging, screenshot capture, DNS hijacking, persistence, and ransomware plugin support.
May 24, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026