Multi-stage malware delivery chains distributing XWorm and other RATs
Researchers reported evolving multi-stage, script-heavy infection chains used to deliver remote access trojans, including XWorm, AsyncRAT, and Xeno RAT. Securonix described a campaign dubbed VOID#GEIST that starts from phishing-delivered batch scripts fetched from TryCloudflare infrastructure, then chains additional batch/PowerShell stages, deploys a legitimate embedded Python runtime, decrypts shellcode, and executes it filelessly by injecting into explorer.exe using Early Bird APC injection, reducing disk artifacts and making each stage appear benign in isolation.
Separately, SANS ISC documented another XWorm wave using an obfuscated JavaScript-to-PowerShell loader chain that drops a temporary PowerShell script (e.g., C:\Temp\ps_...ps1), decodes additional in-memory PowerShell, and uses a DLL exporting ProcessHollowing to inject the XWorm client into a .NET compiler process. The write-up included configuration and IOCs such as a C2 endpoint 204[.]10[.]160[.]190:7003, mutex Cqu1F0NxohroKG5U, and multiple SHA-256 hashes for the JavaScript, PowerShell, DLL loader, and XWorm payload, indicating continued high-volume distribution with frequently changing delivery techniques.
Timeline
Mar 6, 2026
Securonix discloses VOID#GEIST campaign delivering multiple RATs
Securonix Threat Research disclosed a multi-stage malware campaign dubbed VOID#GEIST that used phishing-delivered batch scripts, TryCloudflare-hosted infrastructure, staged Python components, and fileless shellcode execution via Early Bird APC injection into explorer.exe. The campaign was reported as delivering payloads associated with XWorm, Xeno RAT, and AsyncRAT, though specific victims were not identified.
Mar 4, 2026
XWorm 6.4 multi-stage campaign observed in the wild
A new XWorm malware wave was observed using an obfuscated JavaScript-to-PowerShell infection chain that staged additional payloads in memory and ultimately injected the XWorm client into the .NET compiler process. Analysis identified XWorm version 6.4, an install filename of "USB.exe," a mutex, an AES key, and a command-and-control endpoint at 204.10.160.190:7003.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Multi-stage malware campaigns using fileless loaders, RATs, and evasion techniques
Multiple reports detail **distinct, unrelated malware families and delivery chains** rather than a single shared incident. One analysis covers **NotOpenClaw**, a Windows malware loader distributed via **fake “OpenClaw” installers** (including GitHub-hosted lures) and emphasizing **VM/sandbox evasion**; the sample analyzed was tagged with stealer-related indicators (e.g., VidarStealer) and was previously referenced in third-party reporting about fake OpenClaw installers deploying additional malware. Separate research describes two different fileless/backdoor operations: **HellsUchecker**, a small native x64 backdoor delivered through a **10-stage chain** beginning with a **ClickFix** fake Cloudflare CAPTCHA that tricks users into pasting an obfuscated Run command, using a LOLBin to fetch payloads over **finger (TCP/79)** and retrieving encrypted C2 configuration from a **BNB Smart Chain** smart contract ("EtherHiding"), culminating in an **in-memory** final payload using **Hell’s Gate** direct syscalls; and **GhostWeaver**, a **fileless PowerShell RAT** that selects persistence based on the installed AV product, uses **TLS over TCP/25658**, and relies on multiple **DGA** routines for delivery and C2. A separate brief reports the **VOID#GEIST** campaign delivering **XWorm**, **AsyncRAT**, and **Xeno RAT** via phishing, batch scripts from **TryCloudflare** domains, staged ZIP payloads, Python-based decryption/execution, and abuse of `AppInstallerPythonRedirector.exe` to facilitate additional RAT deployment.
1 months ago
XWorm campaigns used AMSI bypasses and linked malware delivery to carding operations
Researchers detailed two XWorm delivery operations that relied on multi-stage loaders, in-memory execution, and **AMSI bypasses** to evade detection. In one campaign attributed to **TAG-124**, compromised legitimate websites redirected selected victims into a PowerShell chain that patched `clr.dll` to disable `AmsiScanBuffer`, suppressed PowerShell history, disabled ETW, fingerprinted hosts, and pulled an XOR-encrypted payload from `sellmeyourbiz[.]com`, ultimately delivering **XWorm RAT**. Breakglass reported low initial detection rates and observed victim-specific beaconing under `/customers/`, with encoded host details including hostname, domain, username, process ID, campaign ID, and hardware UUID. A separate three-stage intrusion used a VBScript lure, `Projet20Immobilier.vbs`, masquerading as a French real-estate document to deploy **XWorm V5.6** through a .NET loader and process injection into `InstallUtil.exe`. Breakglass assessed the operator was likely Brazilian based on Portuguese-language code artifacts and found the same infrastructure also hosted a Portuguese carding marketplace, **Iluminat Store infosCC**, suggesting a vertically integrated criminal pipeline that steals credentials and payment data with XWorm and monetizes them directly through fraud services. The malware infrastructure included servers on DigitalOcean and Contabo, and the sample used the default XWorm encryption key `<123456789>`, exposing weak operator OPSEC despite capabilities that included keylogging, screenshot capture, DNS hijacking, persistence, and ransomware plugin support.
1 weeks ago
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
1 months ago