VOID#GEIST Multi-Stage Malware Campaign Spreads XWorm, AsyncRAT, and Xeno RAT
In a cunning evolution of cyber threats, the VOID#GEIST campaign uses an obfuscated batch script to unleash XWorm, AsyncRAT, and Xeno RAT via encrypted Shellcode.
Securonix Threat Research uncovered a multi-stage intrusion that dodges detection by remaining fileless and mimicking legitimate Windows activity. Attackers embed a real Python runtime, decrypt payloads in memory, and inject them into explorer.exe, leaving no disk traces for antivirus to spot.
This isn’t your average malware drop. VOID#GEIST blends batch scripts, PowerShell, and trusted tools into a modular chain that looks like routine admin work.
It starts with a simple “non.bat” file, often grabbed from TryCloudflare-hosted sites like staying-heavily-meaning-blowing. trycloudflare[.]com: full remote control, data theft, and persistence without tripping basic defenses.
- Script-Led Delivery: Kicks off with non.bat, deploys spol.bat to Startup for reboot survival, no admin rights needed.
- Legit Python Embed: Downloads python-3.10.0-embed-amd64.zip from python.org for portable execution, bypassing missing interpreter issues.
- EncrypShellcodecode: new.bin (XWorm), pul.bin (AsyncRAT), xn.bin (XenoRAT), decrypt via XOR keys in a.json, p.json, n.json, never hit disk.
- Fileless Injection: Early Bird APC qShellcodellcode into suspended explorer.exe instances for stealthy, pre-hook execution.
- C2 Beacon: Lightweight “status=success” POST to TryCloudflare confirms compromise.
These moves make VOID#GEIST a nightmare for signature-based tools, as each piece alone seems harmless.
It begins innocently: cmd.exe /c non.bat runs the orchestrator. First, a decoy Chrome pops a fake PDF invoice from ihk.]de, maximizing to distract while hidden, PowerShell relaunches non.bat with -WindowStyle Hidden.
Next, persistence: curl silently grabs spol.bat into %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\. Then, payload bundles like 01.zip land in %TEMP%, where they unpack, triggering runn.py loaders and encrypted .bin files.
The Python stage shines: Official runtime extracts, then python runn.py -p new.bin -k a.json decrypts XWorm’s 1.1MB shellcode in RAM. No disk writes straight to Early Bird APC:
CreateProcessW(explorer.exe, CREATE_SUSPENDED)VirtualAllocEx(PAGE_EXECUTE_READWRITE)WriteProcessMemory(shellcode)QueueUserAPC()ResumeThread()
XWorm activates for keylogging, webcam spying, and theft. XenoRAT follows via layered XOR (keys from x.txt), SHA-256 checks, zlib decompression, then identical injection, adding file manipulation and clipboard grabs. AsyncRAT’s lighter pul.bin slots in as a plugin for more command execution.
Throttling via timeout /t 5 spaces bursts, evading sandboxes. A final curl POST beacon success, and spol.bat tests persistence with redundant injections.
This technique hijacks explorer.exe early, before EDR hooks load. Separate instances per RAT boost resilience if one dies, others live. No PE files mean forensic hunters must hunt memory ghosts, according to Securonix.
| RAT | Size | Key Features | Impact |
|---|---|---|---|
| XWorm | ~1.1MB | RDP, webcam/mic, creds, keylog | Espionage, financial fraud |
| XenoRAT | Variable | File ops, clipboard, screen caps | IP theft, lateral movement |
| AsyncRAT | ~100KB | Commands, keylog, remote desktop | Sustained access, malware drops |
Forget file scans, hunt behaviors:
- Monitor hidden PowerShell spawning batch files.
- Flag curl to TryCloudflare or python.org in temp dirs.
- Watch explorer.exe creations with APC queues.
- Correlate Startup drops with injection spikes.
Tools like Sysmon, EDR memory scanning, and ML analytics catch this. Block TryCloudflare aggressively, but watch for IP pivots.
Site: cybersecuritypath.com
About the Author
