VOID#GEIST: Multi‑Stage Malware Framework Delivering XWorm, AsyncRAT, and Xeno RAT

March 7, 2026 Faeem BLOGS 0

Researchers at Securonix Threat Research have uncovered a multi‑stage malware campaign dubbed VOID#GEIST, which uses obfuscated batch scripts and embedded runtimes to deliver encrypted payloads of XWorm, AsyncRAT, and Xeno RAT. The attack chain highlights how adversaries are evolving beyond traditional executables toward modular, script‑based frameworks that mimic legitimate administrative activity.

Attack Chain Overview

  1. Initial foothold:
    • Batch script fetched from a TryCloudflare domain via phishing emails.
    • Displays a decoy PDF in Chrome full‑screen to distract the user.
    • Re‑executes itself via hidden PowerShell commands.
  2. Persistence:
    • Auxiliary batch script placed in the user’s Startup directory.
    • Operates entirely within user‑level privileges, avoiding registry or scheduled task modifications.
  3. Payload staging:
    • Fetches ZIP archives containing:
      • runn.py (Python loader).
      • Encrypted shellcode blobs (new.bin, xn.bin, pul.bin).
      • JSON key files for decryption.
    • Deploys a legitimate embedded Python runtime from python[.]org for portability.
  4. Execution:
    • XWorm: Decrypted and injected via Early Bird APC into explorer.exe.
    • Xeno RAT: Launched using Microsoft’s AppInstallerPythonRedirector.exe.
    • AsyncRAT: Injected with the same APC technique.
  5. Beaconing:
    • Minimal HTTP beacon sent to attacker C2 infrastructure hosted on TryCloudflare.

Why It Matters

  • Fileless execution: Payloads run entirely in memory, minimizing disk artifacts.
  • Legitimacy abuse: Uses trusted binaries (Python runtime, AppInstaller) to blend in.
  • Stealth persistence: User‑level startup scripts avoid privilege escalation prompts.
  • Modular design: Incremental payload delivery improves resilience and detection evasion.

Defensive Recommendations

  • Behavioral monitoring: Watch for repeated process injection into explorer.exe.
  • Cloud domain filtering: Inspect traffic to TryCloudflare domains for anomalies.
  • Startup directory audits: Check for unauthorized batch scripts.
  • Runtime validation: Flag unexpected embedded Python interpreters.
  • User awareness: Train staff to recognize phishing lures disguised as invoices or financial documents.

Final Thought

VOID#GEIST demonstrates how attackers are weaponizing legitimate runtimes and modular pipelines to evade detection. For IT leaders, the lesson is clear: detection must move beyond static signatures to behavioral correlation across multiple stages of an attack chain.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.