The cyber threat landscape continues to evolve with increasingly sophisticated malware distribution campaigns. Recently, security researchers at FortiGuard Labs uncovered a new active campaign delivering the XWorm RAT (Remote Access Trojan) to Windows systems via well-crafted phishing emails carrying malicious Excel attachments. This campaign leverages multi-language social engineering, exploitation of legacy Office vulnerabilities, fileless execution techniques, and advanced in-memory payload deployment to evade detection and secure full remote control of victim systems.
Background: XWorm RAT Overview
XWorm is a multi-functional remote access trojan first seen in 2022, designed to grant attackers comprehensive control over compromised Windows hosts. Beyond remote shell access, XWorm also supports modular functionality through plugins, enabling data exfiltration, command execution, DDoS capabilities, file transfers, and more — all over encrypted command-and-control (C2) traffic.
The newly observed payload corresponds to XWorm version 7.2, indicating active development and distribution through criminal ecosystems.
Phishing Lures: Multiple Themes, Multi-Language Emails
A key aspect of this campaign is its use of diverse phishing email templates, each tailored to resemble routine business communications across different languages and cultural contexts. The social engineering themes include:
- Requests to review payment details
- Purchase order acknowledgements
- Signed bank or shipment documentation
- Other business-oriented correspondence
All templates enticed recipients to open an attached Excel add-in file (.XLAM) purportedly containing additional details — effectively baiting victims into triggering the malware chain.
Why This Matters
Social engineering remains one of the most effective methods attackers use to bypass technical defenses. By diversifying lures in multiple themes and languages, adversaries increase the chances that recipients will trust and activate the malicious attachment — especially in global, multi-lingual organizations.
Exploitation: CVE-2018-0802 and Excel Malware
At the core of the exploitation chain is CVE-2018-0802, a remote code execution vulnerability in Microsoft Office’s Equation Editor (EQNEDT32.EXE). Despite its age, this vulnerability continues to be actively abused by threat actors due to its reliable execution model when handling malformed OLE objects embedded within Office documents.
Here’s how the infection chain unfolds:
- Malicious Excel File
The phishing email attachment contains an embedded OLE object configured to auto-load, designed to trigger the vulnerable Equation Editor during document rendering. - Shellcode Execution
When Excel loads the OLE object, it triggers malformed data parsing that executes embedded shellcode via the Equation Editor. - HTA Download & Execution
The shellcode reaches out to an external domain to download an HTA (HTML Application) file. It saves this file locally and executes it, typically by invokingShellExecuteExW().
HTA & PowerShell: Fileless Loading of .NET Module
The HTA script, which operates as a legitimate Windows application using HTML and scripting languages, contains obfuscated JavaScript that decodes and executes a Base64-encoded PowerShell payload. The PowerShell script, when executed, does the following:
- Contacts a remote server to download a JPEG file containing a transformed .NET module
- Extracts the embedded .NET assembly from the image file
- Loads the .NET module into memory without ever writing it to disk
This module masquerades as a legitimate Task Scheduler DLL and is used to bootstrap XWorm into the victim’s system memory.
Process Hollowing & In-Memory Payload Execution
To evade detection and static analysis, the .NET module performs process hollowing, a sophisticated technique that involves:
- Creating a legitimate process (
Msbuild.exe) in a suspended state - Allocating memory inside the target process
- Writing the decoded XWorm payload into that allocated memory
- Replacing the process’s execution context with the injected code
- Resuming execution, effectively running the malware under the guise of a trusted system binary
This fully in-memory execution avoids writing malicious binaries to disk, complicating forensic detection and traditional AV scanning.
XWorm Network Communications & C2 Protocol
Once deployed, XWorm initiates encrypted communication with its command-and-control servers using AES encryption. The protocol encapsulates the packet length with the encrypted data, and the first communication typically registers the infected host with system details such as OS version, hardware info, installed defenses, and instance metadata.
The decrypted C2 information revealed a domain (berlin101.com) and a TCP port indicating a custom RAT infrastructure used by the attackers.
Control Commands & Plugin Architecture
XWorm supports a rich set of remote commands that extend its capabilities. Examples include:
| Command | Function |
|---|---|
DW | Download and execute files |
Urlopen | Open a URL in the victim’s browser |
StartDDos | Launch a DDoS attack from the host |
savePlugin | Store plugin modules in the registry |
Xchat | Enable remote chat with victim |
The malware also supports a plugin-based architecture with over 50 extensions — making it a highly adaptable platform for future malicious operations.
IOCs
URLs:
hxxps://retrodayaengineering[.]icu/HGG.hta
hxxps://res[.]cloudinary[.]com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg
hxxp://pub-3bc1de741f8149f49bdbafa703067f24[.]r2[.]dev/wwa.txt
C2 Server:
Relevant Sample SHA-256:
[SNEV_VEND_026011406440.xlam]
EE663D016894D44C69B1FDC9D2A5BE02F028A56FC22B694FF7C1DACB2BBBCC6D
[optimized_MSI_lpsd9p.jpg]
3F4C3C16F63FB90D1FD64B031D8A9803035F3CB18332E198850896881FB42FE5
[HGG.hta / VA5.hta]
FD9BA9E6BD4886EDC1123D4074D0EAC363DF61162364530B1303390AA621140B
[XWorm RAT payload]
EACD8E95EAD3FFE2C225768EF6F85672C4BFDF61655ED697B97F598203EF2CF6
Defensive Implications & Recommendations
This campaign highlights several persistent threat vectors that defenders must account for:
- Social engineering remains a primary attack vector. User awareness training and anti-phishing policies are essential.
- Legacy exploit risks such as CVE-2018-0802 demonstrate the need for continued Office patching and vulnerability remediation.
- Fileless execution techniques underscore the necessity of behavioral-analysis tools and endpoint-based detection.
- Encrypted RAT traffic can evade traditional network signatures and requires modern threat analytics to identify anomalous patterns.
Comprehensive layered defenses, along with real-time threat intelligence, are critical to countering these evolving threats.
Conclusion
The new XWorm phishing campaign illustrates the sophisticated tactics modern adversaries use to evade detection and secure persistent remote access. By combining social engineering diversity, low-profile exploitation techniques, fileless loading, and modular RAT architectures, attackers continue to raise the bar on offensive operations. Defenders must respond with equally advanced detection mechanisms and robust security hygiene to mitigate such multifaceted threats.
