VOID#GEIST Malware Campaign Uses Python-Based Loader to Deploy XWorm, Xeno RAT, and AsyncRAT

CyberDefender 9 mins0

The VOID#GEIST campaign is a sophisticated malware delivery framework analyzed by the Securonix Threat Research team. It employs a multi-stage attack chain that leverages obfuscated batch scripts, an embedded Python runtime, and fileless shellcode execution to deploy several remote access trojans (RATs), including XWorm, Xeno RAT, and AsyncRAT.

Unlike conventional malware that drops executable binaries directly to disk, VOID#GEIST relies heavily on script-based staging and in-memory execution, making it significantly harder for traditional security tools to detect.

The campaign’s architecture is modular, allowing attackers to dynamically decrypt and inject different payloads depending on the stage of the infection.

Initial Infection and Execution

Phishing and Batch Script Entry Point

The attack begins with a phishing email containing a malicious archive or script. Once executed by the victim, an obfuscated batch script acts as the primary loader.

This script performs several functions:

  • Downloads or extracts additional components
  • Deploys supporting files required for the attack
  • Establishes the staging environment
  • Initiates the Python-based execution chain

The batch script is intentionally heavily obfuscated to evade static detection and hinder analysis.

Deployment of Embedded Python Runtime

A key feature of the attack is the deployment of a legitimate embedded Python runtime bundled with the malware.

Instead of relying on the victim machine’s installed Python environment, the attackers ship their own Python interpreter directly with the payload.

Advantages of this approach include:

  1. Portability
    The malware can run on systems regardless of whether Python is installed.
  2. Operational reliability
    The attacker controls the runtime version and dependencies.
  3. Stealth
    Execution appears to be a legitimate Python process.

Once deployed, the runtime is used to execute a Python script responsible for the next stage of the attack.

Python Loader Architecture

The core of the attack chain is a Python-based loader script commonly referenced as runn.py.

This script is responsible for:

  • Decrypting encrypted payload modules
  • Loading shellcode into memory
  • Injecting the decrypted code into legitimate Windows processes

The loader works with several supporting files:

FilePurpose
runn.pyMain Python loader
new.binEncrypted shellcode for XWorm
xn.binEncrypted shellcode for Xeno RAT
pul.binEncrypted shellcode for AsyncRAT
a.json, n.json, p.jsonDecryption keys

These encrypted files prevent direct static analysis and ensure payloads are only decrypted at runtime.

Fileless Payload Execution

Once the Python loader decrypts the payloads, they are executed in memory using process injection techniques.

The malware leverages:

Early Bird APC Injection

This technique injects shellcode into a newly created process before its main thread begins execution.

Characteristics:

  • Injection occurs very early in process startup
  • Evades certain behavioral monitoring tools
  • Executes malicious code inside trusted processes

The injected target in this campaign is typically:

explorer.exe

Using a trusted Windows process helps the malware blend into normal system activity.

Multi-Payload Delivery

The VOID#GEIST framework delivers multiple RAT payloads sequentially.

1. XWorm

The first stage deploys XWorm, a powerful RAT used for:

  • Remote system control
  • Keylogging
  • File exfiltration
  • Surveillance activities

The loader decrypts the new.bin shellcode and injects it using APC injection.

2. Xeno RAT

The campaign then launches Xeno RAT.

Execution involves a legitimate Microsoft component:

AppInstallerPythonRedirector.exe

This binary is abused to invoke the Python runtime, which then decrypts and injects the Xeno RAT shellcode.

This Living-off-the-Land (LOLbins) approach further reduces suspicion.

3. AsyncRAT

In the final stage, the Python loader deploys AsyncRAT using the same injection mechanism.

AsyncRAT provides attackers with:

  • Persistent remote access
  • Command execution
  • Credential harvesting
  • System monitoring

By deploying multiple RAT families, attackers gain redundancy and flexibility in maintaining access to compromised hosts.

Persistence Mechanism

Persistence is achieved using user-level startup scripts.

A script is placed in the Windows Startup directory, ensuring that malicious components are re-executed whenever the user logs in.

This persistence method avoids the need for administrator privileges, making it easier to deploy successfully.

Command and Control Communication

After successful payload deployment, the malware sends a minimal HTTP beacon to attacker-controlled infrastructure.

Key characteristics:

  • Communication occurs over TryCloudflare domains
  • The beacon confirms successful compromise
  • Allows attackers to begin issuing commands

This communication channel serves as the command-and-control (C2) infrastructure for the RAT payloads.

Detection Challenges

VOID#GEIST presents multiple challenges for defenders:

1. Fileless Execution

Payloads are decrypted and executed directly in memory, leaving minimal artifacts on disk.

2. Legitimate Components

The attack leverages legitimate binaries and interpreters:

  • Python runtime
  • Microsoft utilities
  • Trusted Windows processes

3. Multi-Stage Architecture

The infection chain unfolds across several stages, making it difficult to correlate events.

4. Obfuscated Scripts

Heavy script obfuscation complicates static analysis.

5. Repeated Process Injection

Multiple injections into explorer.exe occur across stages.

Interestingly, this repeated injection behavior can itself become a behavioral detection indicator.

Key Indicators and Behavioral Signals

Security teams should monitor for:

  • Unexpected embedded Python runtime deployment
  • Execution of Python scripts from temporary directories
  • Repeated APC injection into explorer.exe
  • Suspicious use of AppInstallerPythonRedirector.exe
  • Startup folder scripts invoking Python loaders
  • Outbound HTTP traffic to TryCloudflare C2 infrastructure

These behaviors provide useful TTP-based detection opportunities.

Conclusion

VOID#GEIST represents a modern example of script-driven, modular malware delivery. By combining:

  • Obfuscated batch scripts
  • Embedded Python runtimes
  • Runtime payload decryption
  • Fileless process injection
  • Multiple RAT deployments

the campaign achieves a high level of stealth, portability, and resilience.

The use of legitimate tools and memory-resident execution reflects a broader trend in modern malware operations, where attackers increasingly rely on living-off-the-land techniques and modular frameworks to evade traditional detection mechanisms.

CyberDefender