Cybercriminals are escalating their tactics, combining stealthy techniques with intelligent targeting to deliver dangerous malware variants depending on where you are in the world.
In a recently uncovered cyberattack operation, a multi-phase malware campaign was observed using advanced scripting and geofencing to deploy either the XWorm Remote Access Trojan (RAT) or the Rhadamanthys information stealer. The attack, which relies heavily on JScript and obfuscated PowerShell, showcases a growing trend in cybercrime: tailored payloads that change dynamically based on the userâs geographical location.
The campaign, dissected by security researcher Andrew Petrus, integrates fileless execution, runtime obfuscation, and process injection to evade detection from traditional antivirus solutions. By using legitimate system processes and hiding their tracks immediately after execution, attackers manage to fly under the radar.
Letâs dive into how the attack unfolds and what makes it uniquely dangerous.
the Attack Campaign ()
- Initial Vector: The infection starts with a JScript file, which is either scheduled to run via Windows Task Scheduler or delivered through deceptive âClickFixâ fake CAPTCHA pop-ups.
- Dynamic PowerShell Command: The script constructs a PowerShell command on-the-fly by combining scrambled array elements. This means traditional static analysis tools can’t detect the full command until itâs actively running.
– Geofencing Trigger: The script checks the
- If the IP is from the US: The system is hit with XWorm RAT, a .NET-based trojan with capabilities like clipboard hijacking and DDoS attacks.
- If the IP is outside the US: The attacker delivers Rhadamanthys, a sophisticated C++ stealer capable of pulling cryptocurrency seed phrases from images using AI algorithms.
– System Hardening for Persistence:
– Kills analysis tools like `mshta` and `wscript`.
- Deletes temporary batch and PowerShell files to erase traces.
– Payload Obfuscation:
- Uses encoded decimal strings and a custom
Convert-DecimalToTextfunction. - Final payload is reflectively injected into
RegSvcs.exeâa legitimate Windows utility.
– Anti-Analysis Techniques:
- Process injection enables execution without saving files on disk.
- Temporary directory
C:\ProgramData\loralylomyrais created and deleted within seconds to avoid detection. - Payload and loader variables are reversed in memory (
$lora,$PE), requiring runtime decryption.
– Payload Capabilities:
- XWorm RAT: Full remote control, clipboard hijacking, launch DDoS attacks.
- Rhadamanthys: Harvests credentials, targets wallets, uses AI to decode graphical seed phrases.
Indicators of Compromise (IOCs):
– Loader Hash: `70c52b2dac24420378afbb59e1f4705c8b0e521523280e29f48140a98fdd07bb`
– XWorm Sample: `b5b4359ee5a79b06b388cebabb9fa2faabd4d920a10563947a0e5c5f94056bda`
- Network Activity: Unusual connections to
get.geojs.ioand domains likeimgbox.com.
What Undercode Say:
This campaign reflects a growing evolution in malware deploymentâone thatâs intelligent, adaptive, and ruthlessly efficient. The use of geofencing stands out as a sharp deviation from generic “one-size-fits-all” malware tactics. By tailoring payloads based on region, attackers optimize their malwareâs effectiveness while reducing the risk of detection and takedown.
From a technical standpoint, the combination of JScript and PowerShell offers flexibility and stealth. JScript provides an easy way to execute code on the system, while PowerShell delivers powerful, scriptable control over Windows environments. When these are combined with runtime obfuscation, reflective loading, and legitimate system tools like RegSvcs.exe, it becomes incredibly difficult for endpoint protection tools to keep up.
The attackersâ attention to detail is evident in how they manage their attack lifecycle. They execute payloads in memory (fileless), delete temporary artifacts immediately, and even reverse critical strings to evade detection through simple string-matching tools. This is next-level malware engineering designed not just to infiltrate, but to survive in hostile environments.
Whatâs particularly noteworthy is the AI-driven extraction mechanism in Rhadamanthys. By using image recognition to steal seed phrases from screenshots or wallet exports, the malware bypasses traditional text-based keyloggers or credential stealers. This presents a new vector for targeting crypto assetsâone that defenders need to prepare for.
On the other hand, XWorm RATâs functionality remains consistent with modern RATsâoffering remote control, data exfiltration, and even offensive capabilities like DDoS, which could be weaponized against both individuals and institutions.
For defenders, this campaign is a wake-up call. Itâs not just about patching vulnerabilities or setting up firewalls anymore. Behavioral analysis, PowerShell monitoring, and geolocation-based anomaly detection are essential. Analysts must also be prepared to inspect processes that appear legitimate (like RegSvcs.exe) for signs of injection.
This campaign shows us that attackers are no longer amateurs experimenting with scripts. Theyâre operating like skilled software engineers, combining automation, AI, and reconnaissance to launch precision-targeted attacks.
Organizations should consider:
- Restricting or monitoring PowerShell usage via AMSI and logging tools.
- Blocking access to APIs like
geojs.ioif not essential to business operations. - Using deception techniques like honey tokens or fake wallet exports to detect AI-driven theft attempts.
The reality is clearâmalware is evolving, and so must our defenses.
Fact Checker Results:
- This malware campaign has been analyzed by reputable cybersecurity researcher Andrew Petrus.
- Payload selection based on geolocation is a confirmed technique in current malware strategies.
- The tools and techniques described (e.g., PowerShell obfuscation, RegSvcs injection) are consistent with known advanced persistent threat (APT) behaviors.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
