Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT

Stealthy Malware Campaign Exploits Python Runtime to Deliver Encrypted RATs via Multi-Stage Script-Based Attack Chain

In a chilling new wave of cyber espionage, cybersecurity researchers have uncovered a sophisticated, multi-stage malware campaign dubbed VOID#GEIST by Securonix Threat Research. This stealthy attack chain leverages obfuscated batch scripts to deploy encrypted remote access trojans (RATs), including XWorm, AsyncRAT, and Xeno RAT, bypassing traditional detection methods with surgical precision.

The campaign’s ingenuity lies in its fileless execution mechanism, which minimizes disk-based detection opportunities and allows threat actors to operate within compromised systems without triggering security alerts. By mimicking legitimate user activity, the malware blends seamlessly into seemingly innocuous administrative operations, making it a formidable adversary for even the most vigilant organizations.

The Anatomy of the Attack

The attack begins with a batch script fetched from a TryCloudflare domain and distributed via phishing emails. Once launched, the script deliberately avoids escalating privileges, instead leveraging the permission rights of the currently logged-in user to establish an initial foothold. This approach not only reduces the likelihood of triggering security alerts but also ensures the malware operates within the user’s context, leaving minimal forensic footprints.

To distract victims, the script launches Google Chrome in full-screen mode to display a decoy PDF—often a financial document or invoice. This visual distraction conceals the malicious activity occurring in the background, such as re-executing the batch script using PowerShell with the -WindowStyle Hidden parameter to avoid displaying a console window.

Persistence and Staging

To ensure persistence across system reboots, an auxiliary batch script is placed in the Windows user’s Startup directory. This method operates entirely within the current user’s privilege context, avoiding system-wide registry modifications, scheduled tasks, or service installations. By relying on standard user-level startup behavior, the malware generates minimal security friction and reduces the likelihood of triggering privilege escalation prompts or registry-monitoring alerts.

The next phase involves fetching additional payloads from a TryCloudflare domain in the form of ZIP archives. These archives contain multiple files, including:

• runn.py: A Python-based loader script responsible for decrypting and injecting encrypted shellcode payload modules into memory.
• new.bin: An encrypted shellcode payload corresponding to XWorm.
• xn.bin: An encrypted shellcode payload corresponding to Xeno RAT.
• pul.bin: An encrypted shellcode payload corresponding to AsyncRAT.
• a.json, n.json, and p.json: Key files containing decryption keys required by the Python loader to dynamically decrypt the shellcode at runtime.

Leveraging Legitimate Python Runtime

The attack sequence deploys a legitimate embedded Python runtime directly from python[.]org, eliminating any dependency on the system. This step offers several advantages: it transforms the malware into a fully self-contained execution environment, capable of decrypting and injecting payload modules without relying on external system components. From the attacker’s perspective, the objectives of this stage are portability, reliability, and stealth.

The main goal of the attack is to leverage the Python runtime to launch “runn.py,” which then decrypts and runs the XWorm payload using Early Bird APC injection. The malware also makes use of a legitimate Microsoft binary, “AppInstallerPythonRedirector.exe,” to invoke Python and launch Xeno RAT. In the final stage, the Python loader uses the same injection mechanism to launch AsyncRAT.

Modular Architecture and Detection Challenges

The infection chain culminates with the malware transmitting a minimal HTTP beacon back to attacker-controlled C2 infrastructure hosted on TryCloudflare to confirm the digital break-in. While the targets of the attack remain unknown, the campaign’s modular architecture offers significant advantages to the attackers. Instead of delivering a single monolithic payload, the attacker deploys components incrementally, improving flexibility and resilience.

From a detection standpoint, repeated process injection into explorer.exe within short time windows is a strong behavioral indicator that correlates across stages of the attack. However, the malware’s ability to mimic legitimate user activity and operate within the user’s context makes it a formidable adversary for traditional security measures.

Conclusion

The VOID#GEIST campaign represents a new frontier in malware delivery, leveraging script-based frameworks, legitimate embedded runtimes, and fileless execution to evade detection. As attackers continue to refine their techniques, organizations must adopt a multi-layered defense strategy, combining behavioral analysis, endpoint detection and response (EDR), and user education to mitigate the risks posed by such sophisticated threats.

Tags: #Malware #Cybersecurity #RATs #VOIDGEIST #XWorm #AsyncRAT #XenoRAT #FilelessMalware #PythonRuntime #Phishing #CyberEspionage #ThreatResearch #Securonix #TryCloudflare #APCInjection #EarlyBirdInjection #StealthyMalware #CyberAttack #SecurityAlert #DigitalThreat #CyberDefense #MalwareAnalysis #CyberSecurityNews

Viral Phrases:

• “Stealthy malware campaign delivers encrypted RATs via multi-stage script-based attack chain”
• “Fileless execution mechanism minimizes disk-based detection opportunities”
• “Mimicking legitimate user activity to evade security alerts”
• “Modular architecture improves flexibility and resilience of malware”
• “Repeated process injection into explorer.exe as a strong behavioral indicator”
• “Leveraging legitimate Python runtime for portability and stealth”
• “Phishing emails as the initial vector for sophisticated cyber attacks”
• “Encrypted shellcode payloads corresponding to XWorm, AsyncRAT, and Xeno RAT”
• “Early Bird APC injection technique for memory-based execution”
• “Minimal HTTP beacon confirms digital break-in to attacker-controlled C2”
• “Self-contained execution environment capable of decrypting and injecting payload modules”
• “Reduced forensic footprint through user-level persistence methods”
• “Visual distraction via decoy PDFs conceals malicious background activity”
• “Incremental deployment of components improves malware resilience”
• “Behavioral analysis and EDR essential for detecting sophisticated threats”

,