A sophisticated malware campaign dubbed VOID#GEIST employs obfuscated batch scripts, PowerShell, and legitimate Python runtimes to deliver multiple RAT payloads including XWorm, AsyncRAT, and Xeno RAT through stealthy fileless execution.
Cybersecurity researchers have uncovered a sophisticated multi-stage malware campaign that uses obfuscated batch scripts as a pathway to deliver encrypted remote access trojans (RATs) including XWorm, AsyncRAT, and Xeno RAT. The stealthy attack chain, codenamed VOID#GEIST by Securonix Threat Research, represents a significant evolution in malware delivery techniques.
Sophisticated Attack Architecture
The campaign employs a complex, script-based delivery framework that mimics legitimate user activity to evade detection. Rather than deploying traditional executable files, attackers leverage a modular pipeline comprising:
- Batch scripts for orchestration
- PowerShell for stealthy staging
- Legitimate embedded runtimes for portability
- Raw shellcode executed directly in memory
This fileless execution mechanism minimizes disk-based detection opportunities, allowing threat actors to operate within compromised systems without triggering security alerts. The approach offers an additional advantage: individual stages appear harmless in isolation and resemble regular administrative activity.
Attack Chain Breakdown
The infection begins when victims receive phishing emails containing a batch script fetched from a TryCloudflare domain. Once launched, the script deliberately avoids privilege escalation and operates within the current user's permission rights to establish an initial foothold.
Initial Stage Deception
The first stage serves as a launchpad to display a decoy PDF by launching Google Chrome in full-screen mode. This financial document or invoice serves as a visual distraction while malicious activities occur behind the scenes. The script then re-executes itself using PowerShell with the -WindowStyle Hidden parameter to avoid displaying a console window.
To ensure persistence across reboots, an auxiliary batch script is placed in the Windows user's Startup directory. This persistence method is intentionally designed to operate within the current user's privilege context, avoiding system-wide registry modifications or scheduled tasks that could trigger security alerts.
Payload Staging and Delivery
The malware then reaches out to a TryCloudflare domain to fetch ZIP archives containing multiple files:
- runn.py - Python-based loader script for decrypting and injecting shellcode
- new.bin - Encrypted XWorm shellcode payload
- xn.bin - Encrypted Xeno RAT shellcode payload
- pul.bin - Encrypted AsyncRAT shellcode payload
- a.json, n.json, p.json - Decryption keys
Legitimate Tool Abuse
A key aspect of the campaign is the deployment of a legitimate embedded Python runtime directly from python[.]org. This eliminates dependency on system-installed Python and transforms the malware into a fully self-contained execution environment.
The Python runtime launches runn.py, which decrypts and runs the XWorm payload using Early Bird Asynchronous Procedure Call (APC) injection. The malware also abuses a legitimate Microsoft binary, AppInstallerPythonRedirector.exe, to invoke Python and launch Xeno RAT. Finally, the same injection mechanism deploys AsyncRAT.
Detection and Mitigation
From a detection standpoint, repeated process injection into explorer.exe within short time windows serves as a strong behavioral indicator that correlates across attack stages. Security teams should monitor for:
- Unusual PowerShell execution patterns
- Unexpected process injection into explorer.exe
- Network connections to TryCloudflare domains
- Presence of legitimate binaries being used for malicious purposes
The campaign demonstrates how modern malware increasingly shifts toward complex, script-based delivery frameworks that closely mimic legitimate user activity, making traditional signature-based detection less effective.
While the specific targets of the attack remain unknown, the modular architecture allows attackers to deploy components incrementally, improving flexibility and resilience. The campaign highlights the ongoing evolution of malware delivery techniques and the need for advanced behavioral detection capabilities to identify these sophisticated threats.
Comments
Please log in or register to join the discussion