Close Menu
    What's Hot

    You’re probably ignoring the most important number in your company

    Politician who investigated spyware abuses had his phone hacked with Pegasus spyware

    Strait of Hormuz transits increase as US-Iran ceasefire holds

    Facebook X (Twitter) Instagram
    Trending
    • You’re probably ignoring the most important number in your company
    • Politician who investigated spyware abuses had his phone hacked with Pegasus spyware
    • Strait of Hormuz transits increase as US-Iran ceasefire holds
    • Why the ‘oil price’ isn’t always the oil price
    • Magic Weekend: Matt Peet stands by ‘loss of identity’ comments ahead of Wigan Warriors clash with St Helens | Rugby League News
    • Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery
    • Mapping Iran’s Ali Khamenei funeral: Where mourners will gather each day | US-Israel war on Iran News
    • Sephora just announced a nationwide store change customers have been asking for
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT

    adminBy adminMarch 6, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT

    Cybersecurity researchers have disclosed details of a multi-stage malware campaign that uses batch scripts as a pathway to deliver various encrypted remote access trojan (RATs) payloads that correspond to XWorm, AsyncRAT, and Xeno RAT.

    The stealthy attack chain has been codenamed VOID#GEIST by Securonix Threat Research.

    At a high level, the obfuscated batch script is used to deploy a second batch script, stage a legitimate embedded Python runtime, and decrypt encrypted shellcode blobs, which are executed directly in memory by injecting them into separate instances of “explorer.exe” using a technique called Early Bird Asynchronous Procedure Call (APC) injection.

    “Modern malware campaigns increasingly shift from standalone executables toward complex, script-based delivery frameworks that closely mimic legitimate user activity,” researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a technical report shared with The Hacker News.

    Cybersecurity

    “Rather than deploying traditional PE binaries, attackers leverage modular pipelines comprising batch scripts for orchestration, PowerShell for stealthy staging, legitimate embedded runtimes for portability, and raw shellcode executed directly in memory for persistence and control.”

    This fileless execution mechanism minimizes disk-based detection opportunities, thereby allowing the threat actors to operate within compromised systems without triggering security alerts. What’s more, the approach offers an extra advantage in that these individual stages appear harmless in isolation and resemble regular administrative activity.

    The starting point of the attack is a batch script that’s fetched from a TryCloudflare domain and distributed via phishing emails. Once launched, it deliberately avoids taking steps to escalate privileges and leverages the permission rights of the currently logged-in user to establish an initial foothold, while blending into seemingly innocuous administrative operations.

    The initial stage serves as a launchpad to display a decoy PDF by launching Google Chrome in full-screen. The displayed financial document or invoice serves as a visual distraction to conceal what’s happening behind the scenes. This includes launching a PowerShell command to re-execute the original batch script, such as using the -WindowStyle Hidden parameter, to avoid displaying a console window.

    To ensure persistence across system reboots, an auxiliary batch script is placed in the Windows user’s Startup directory so that it’s automatically executed every time the victim logs in to the system. The absence of more intrusive persistence methods is intentional, as it reduces the forensic footprint.

    “Technically, this persistence method operates entirely within the current user’s privilege context. It does not modify system-wide registry keys, create scheduled tasks, or install services,” the researchers said. “Instead, it relies on standard user-level startup behavior, which requires no elevation and generates minimal security friction. This design choice reduces the likelihood of triggering privilege escalation prompts or registry-monitoring alerts.”

    The next phase begins with the malware reaching out to a TryCloudflare domain to fetch additional payloads in the form of ZIP archives that contain multiple files –

    • runn.py, a Python-based loader script responsible for decrypting and injecting encrypted shellcode payload modules into memory
    • new.bin, an encrypted shellcode payload corresponding to XWorm
    • xn.bin, an encrypted shellcode payload corresponding to Xeno RAT
    • pul.bin, an encrypted shellcode payload corresponding to AsyncRAT 
    • a.json, n.json, and p.json, key files containing the decryption keys required by the Python loader to dynamically decrypt the shellcode at runtime

    Once the files are extracted, the attack sequence deploys a legitimate embedded Python runtime directly from python[.]org. This step offers several advantages. For starters, it eliminates any dependency on the system. As a result, the malware can continue to operate even if the infected endpoint does have Python installed.

    Cybersecurity

    “From the attacker’s perspective, the objectives of this stage are portability, reliability, and stealth,” Securonix said. “By embedding a legitimate interpreter into the staging directory, the malware transforms itself into a fully self-contained execution environment capable of decrypting and injecting payload modules without relying on external system components.”

    The main goal of the attack is to leverage the Python runtime to launch “runn.py,” which then decrypts and runs the XWorm payload using Early Bird APC injection. The malware also makes use of a legitimate Microsoft binary, “AppInstallerPythonRedirector.exe,” to invoke Python and launch Xeno RAT. In the last stage, the Python loader uses the same injection mechanism to launch AsyncRAT.

    The infection chain culminates with the malware transmitting a minimal HTTP beacon back to attacker-controlled C2 infrastructure hosted on TryCloudflare to confirm the digital break-in. It’s currently not known who the targets of the attack were, and if there have been any successful compromises.

    “This repeated injection pattern reinforces the modular architecture of the framework. Instead of delivering a single monolithic payload, the attacker deploys components incrementally, improving flexibility and resilience,” Securonix said. “From a detection standpoint, repeated process injection into explorer.exe within short time windows is a strong behavioral indicator that correlates across stages of the attack.”

    AsyncRAT delivering Malware MultiStage RAT VOIDGEIST Xeno XWorm
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleUkraine and the Paradox of American National Conservatism
    Next Article The AI Doc review: a hype piece for doomers and accelerationists alike
    admin
    • Website

    Related Posts

    Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery

    July 3, 2026

    Microsoft Accelerates Post-Quantum Cryptography Shift to 2029

    July 3, 2026

    AI-Generated Browser Ransomware Abuses Chromium API on Windows, Linux, macOS, Android

    July 3, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    You’re probably ignoring the most important number in your company

    Politician who investigated spyware abuses had his phone hacked with Pegasus spyware

    Strait of Hormuz transits increase as US-Iran ceasefire holds

    Why the ‘oil price’ isn’t always the oil price

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by