X-Industry

Recently observed a phishing campaign in the wild that delivers a new variant of XWorm.

XWorm is a multi-functional Remote Access Trojan (RAT) first identified in 2022 that remains actively distributed, including through Telegram-based marketplaces.  Once deployed, it provides attackers with full remote control of compromised Windows systems.  This campaign relies on multiple phishing emails that employ social engineering to trick recipients into opening a malicious attachment.  The following analysis details these phishing lures and shows how the attached Excel file exploits CVE-2018-0802 to download and execute an HTA file on the victim’s device.

The HTA execution triggers PowerShell, which downloads and loads a fileless .NET module directly into memory. That module uses process hollowing to inject and execute the XWorm payload within a newly created Msbuild.exe process.

The FortiGuard Labs analysis also examines XWorm’s encrypted network traffic, command-and-control protocol, control commands, and plugin architecture.

Infection Chain - The infection chain begins with phishing emails delivering a malicious Excel attachment to targeted users.  These emails use common business-themed lures to encourage recipients to open the attached file.

Below provides an overview of the full infection chain observed in this campaign, from initial email delivery through execution of the XWorm RAT payload.

Figure 1: Overview of the XWorm phishing campaign infection chain

• Multiple-Themed Phishing Emails
• Multiple phishing email themes were identified in this XWorm campaign, written in multiple languages. As shown in Figure 2, the emails were disguised as
• Payment detail requests requiring recipient review
• Purchase orders requesting acknowledgment
• Signed bank documents related to shipments
• Other business-related communications

 Figure 2: Examples of phishing emails used in the XWorm campaign

All phishing emails include an attached Excel add-in file (.XLAM) and instruct recipients to open the attachment to view additional details.  As shown in Figure 2, these emails were marked as virus-detected in the subject line and blocked by the FortiMail service.  As a result, the messages were not ultimately delivered to recipients.

Crafted Excel File to Exploit CVE-2018-0802 - One of the attached Excel files was selected for further investigation.  The analysis revealed an embedded OLE (Object Linking and Embedding) object within the sheet1.xml file, configured with autoLoad=true.  The OLE object definition is shown in the sheet1.xml.rels file, as illustrated in Figure 3.

Figure 3: OLE object definition in sheet1.xml.rels

CVE-2018-0802 is a remote code execution vulnerability in the Microsoft Equation Editor (EQNEDT32.EXE) that remains actively exploited. 

The embedded OLE object (../embeddings/WEakS.Jh) contains malformed data, as shown in Figure 4.  When the Excel file is opened, EQNEDT32.EXE parses the object, triggering the vulnerability and executing the embedded shellcode.

Figure 4: Malformed OLE object stream exploiting CVE-2018-0802

The shellcode decrypts embedded code at runtime and executes it to download an HTA file from retrodayaengineering[.]icu/HGG.hta, saving it as
 %APPDATA%\VA5.hta.

To perform this download, the shellcode invokes multiple Windows APIs, including WinHttpOpen(), WinHttpConnect(), WinHttpOpenRequest(), WinHttpSendRequest(), WinHttpReceiveResponse(), WinHttpQueryDataAvailable(), WinHttpReadData(), and WriteFile().

Figure 5 Shellcode invoking WinHttpConnect() to download the HTA file

To execute the downloaded HTA file on the victim’s device, the shellcode calls the ShellExecuteExW() API, as illustrated in Figure 6.

Figure 6 Execution of the downloaded HTA file via ShellExecuteExW()

Analyzing the HTA File - An HTA file (HTML Application) is a Microsoft Windows program using HTML and scripting languages (such as VBScript or JScript) to create executable applications.  The downloaded HTA file is obfuscated, with the legitimate code interspersed with large amounts of junk data.

Figure 7: De-obfuscated HTA file showing embedded script logic

Figure 7 presents a de-obfuscated and cleaned version of the HTA file. The file contents indicate that the HTA file executes JScript code when loaded by mshta.exe.  The apochromatic variable contains a Base64-encoded PowerShell payload, which is decoded and executed at runtime.  Based on the analysis, the PowerShell code performs the following actions

It downloads a JPEG file containing a transformed .NET module embedded within the image. The URL of the image file is hxxps//res[.]cloudinary[.]com/dbjtzqp4q/image/upload/v1767455040/
optimized_MSI_lpsd9p.jpg.

It extracts and decodes the fileless .NET module from the image and loads it into the memory of the PowerShell.exe process without writing it to disk.  The Base64-encoded .NET module is placed between the two keywords BaseStart- and -BaseEnd appended to the image file.

Figure 8 Base64-encoded .NET module embedded between BaseStart and BaseEnd markers in the JPEG file.

As shown in Figure 8, the embedded data is extracted and decoded at runtime.  3.  It then invokes the Software.Program.Main() method of the .NET module.

The parameters passed to the method are
'=QHe05SY3d3L2VGZuIjcuQjMmdjNwMDM3EmZhJGZilDNmlDNxgjZxQzNlRWMjJ2
MtIWdw9yL6MHc0RHa','','C\Users\Public\Downloads','Name_File','Msbuild','','Msbuild','',
'URL','C\Users\Public\Downloads','Name_File','hta','1','','Task_Name','0','','',''

The first parameter is a reversed Base64-encoded string derived from a URL, which is decoded in the .NET module.

The Fileless .NET Module and Process Hollowing - The assembly name of the .NET module (DLL) is Microsoft.Win32.TaskScheduler, which is disguised as a legitimate TaskScheduler-related system module, to mislead both the victim and researchers. 

Similar .NET modules have been observed in previous analyses and used by multiple malware families, including Remcos, DrakCloud, and Agent Tesla.

In this campaign, the .NET module serves as the XWorm RAT downloader and loader.

Figure 9 Breakpoint at Software.Program.Main() method called by the PowerShell process

Figure 9 shows the .NET module’s Main() method as analyzed in a debugger; the parameter list passed from the PowerShell.exe process is shown at the bottom of the figure. 

As mentioned earlier, the first parameter passed to the Main() method is a Base64-encoded string in reverse order.  The .NET module decodes the URL and then downloads the content.

The decoded URL is hxxps//pub-3bc1de741f8149f49bdbafa703067f24[.]r2[.]dev/wwa.txt. As shown in Figure 10, the module calls WebClient.Use the DownloadString() method to retrieve the file.

Figure 10: Download of a file from the decoded URL

Figure 11 Captured network traffic showing the contents of wwa.txt

The content of the wwa.txt file consists of another Base64-encoded string, as shown on the right side of Figure 11.  Decoding the Base64 string recovers a PE file in memory.  Based on the FortiGuard Labs analysis, this PE file is the XWorm RAT payload.

The payload is never written to a local file; instead, it remains in the memory of the PowerShell.exe process.

The .NET module then deploys the XWorm payload into a newly created Msbuild.exe process via process hollowing. The path to Msbuild.exe is supplied as a parameter, as shown in Figure 9.

Figure 12: The .NET module calls CreateProcessA()

To perform the process hollowing, it calls CreateProcessA() with the full path to Msbuild.exe and the CREATE_SUSPENDED (0x00000004) flag, as shown in Figure 12, to create a suspended Msbuild.exe process.

The .NET module then calls a sequence of Windows APIs -- such as VirtualAllocEx(), WriteProcessMemory(), ReadProcessMemory(), GetThreadContext(), SetThreadContext(), and ResumeThread() to inject the XWorm payload into the Msbuild.exe process and execute it.

Figure 13 presents a process tree explaining how the entire campaign deploys the XWorm RAT payload, from EQNEDT32.EXE to Msbuild.exe.

Figure 13: Process tree of the processes involved in the campaign.

The XWorm Payload File - The XWorm payload was dumped from the memory of the PowerShell.exe process for static analysis.  According to Figure 14, the payload is a 32-bit executable (EXE) file compiled with the Microsoft .NET Framework and obfuscated with DeepSea Obfuscator.

Figure 14: The XWorm payload observed in a static analysis tool

This also explains why Msbuild.exe was chosen as the target process for executing the XWorm RAT.  Because XWorm is. NET-based malware, it requires a .NET runtime environment.  Msbuild.exe is a . NET-compiled executable that initializes the required runtime environment when launched, enabling the XWorm RAT to execute.  Based on the assembly display name of the XWorm RAT, UD_XWormClient 7.2, the payload corresponds to XWorm version 7.2, which was released in late 2025/early 2026.

Once executed within Msbuild.exe, the XWorm RAT decrypts several configuration values, including C2 server hosts and ports, cryptographic keys, and data delimiters.

Figure 15 shows the Main() method of the XWorm RAT payload. At the bottom of the figure, the decrypted C2 server domain (berlin101.com) and TCP port (6000) are shown.

Figure 15 Decrypted command-and-control (C2) server host and port

Dissecting the Packet - To protect its communications, XWorm encrypts network traffic using the AES algorithm.  Figure 16 shows an example of encrypted XWorm RAT network packets.

Figure 16 Example of encrypted XWorm RAT network packets.

Each encrypted packet consists of a packet size (decimal string) followed by AES-encrypted data.  In Figure 16, three packets are shown with sizes of 272, 48, and 16 bytes, respectively.  Once the XWorm RAT establishes a connection with the C2 server, it sends a registration packet to register itself with the C2 server.  The packet contains basic information collected from the victim’s machine, as shown in Figure 17.

Figure 17: Breakpoint hit during encryption and transmission of the registration packet.

The registration packet begins with the client command INFO, as shown below.

INFO<Xwormmm>DA0F826C51434A32DFEB<Xwormmm>win-10<Xwormmm>Windows 10 Pro 64bit<Xwormmm>XWorm V7.1<Xwormmm>24/06/2022<Xwormmm>False<Xwormmm>False<Xwormmm>False<Xwormmm>Intel Xeon E E-2434<Xwormmm>VirtualBox Graphics Adapter (WDDM)<Xwormmm>7.99 GB<Xwormmm>Windows Defender

This INFO command data, delimited by <Xwormmm>, consists of the following basic information

• INFO, command name.
• The victim ID
• The victim’s username
• Windows system information

XWorm RAT version

• Creation time of the current process (exe)
• An indicator of whether the XWorm RAT runs with the USB spreader
• An indicator of whether the XWorm RAT runs with administrator privileges
• Presence of camera devices on the victim’s machine
• Processor information of the compromised device

Graphic card information

• Total RAM size
• Installed Anti-virus products

Below is an example of a control command issued by the C2 server. All control commands follow the same structure

Urlopen<Xwormmm>https//www.fortinet.com

In this example, Urlopen is the control command name, and  https//www.fortinet.com is the command parameter.  The two fields are separated by the <Xwormmm> delimiter.  When the command is parsed, the XWorm RAT opens a website in the victim’s default web browser.  Some control commands may include multiple parameters, all of which are separated by the same delimiter.

XWorm Control Commands - The following table lists the control commands sent by the C2 server to the XWorm RAT for controlling the victim’s device.

XWorm Plugins - Beyond the basic control commands described in the previous section, XWorm supports more complicated and extensible plugin functionality.  XWorm 7.2 Pro provides more than 50 plugins to extend its capabilities.  These plugins are implemented as .NET modules (DLL files) that the XWorm RAT can dynamically load to perform malicious tasks on the victim’s device.

This plugin-based architecture allows XWorm to easily extend its functionality by developing and deploying additional plugins as needed.  Figure 18 shows a screenshot of a .NET debugger with the XWorm plugins loaded.

Figure 18: Display of XWorm v7.2 plugin modules loaded in a .NET debugger

Each plugin module that submits data to the C2 server can establish its own connection and send collected data directly to the server.  As a result, plugins transmit data using their own command names.  The server-side control commands plugin and savePlugin are used to transfer and execute the plugins on the victim’s system.

XWorm RAT extracts a compressed plugin payload from the savePlugin command parameter and saves it in the system registry. As shown in Figure 19, six plugin payloads were saved under the HKCU\SOFTWARE\{victim ID} registry subkey.

Figure 19: Plugin data saved in the system registry of a compromised device

When the XWorm RAT receives a plugin command with a plugin SHA-256 hash as a parameter, it checks the registry to determine whether the corresponding plugin already exists.  If yes, XWorm RAT loads and executes it.  If not, it sends the client-side sendPlugin command, along with the SHA-256 hash, to the C2 server to request the plugin.

Below is an example of a plugin control command

plugin<Xwormmm>8665BC1B33CBE6F5859CD6E362AF77738BA73A6E6D4B9974C16C8521D84C1892

XWorm Features

Figure 20 shows an attacker-side view of the features provided by XWorm 7.2, with a connected victim device already under control.

Figure 20 Screenshot showing the features available to attackers in XWorm 7.2.

Based on its core control commands and plugins, XWorm provides the following features.

System Control

• Retrieve detailed system information from the compromised device.
• Remotely control the victim’s system using input devices (mouse and keyboard) and record the screen.
• Execute files on the victim’s device, including executables located on disk or downloaded and launched via links.
• Control the camera, microphone, and audio devices on the compromised system.
• Open websites on the victim’s system, either visibly or invisibly.
• Restrict the victim’s access to system resources, including the Windows Registry, Task Manager, firewall, UAC, Windows Update, and other system components.
• Remotely execute Windows commands on the victim’s system.
• Collect sensitive data from the victim’s device, including credentials, cookies, autofill data, login tokens, product keys, Wi-Fi keys, and more.
• Perform rootkit and bootkit capabilities.
• Manage the file system on the compromised system, including creating, copying, pasting, deleting, cutting, executing, encrypting, locking, hiding, transferring, and uploading files or folders to a specified FTP server.
• Perform all functions available in the Windows Registry Editor.
• Manage TCP connections, running processes, startup configuration, system services, clipboard data, and installed programs.
• Provide a VB.NET execution environment that allows attackers to develop, compile, and execute VB.NET code remotely.
• Shut down (power off), restart, or log off the current user from the victim’s device.

Attacks

• Control the victim’s device to launch DDoS attacks.
• Perform ransomware attacks on the compromised system.
• XWorm RAT Management
• Restart, terminate, uninstall, and update the XWorm RAT running on the compromised system.

Other Capabilities

• Report the presence of application windows by matching specific keywords (for example, detecting whether the victim is watching YouTube).
• Enable text and voice chat between the attacker and the victim.
• Display advanced system performance information.
• Modify the system host’s file to block specified websites on the victim’s device.
• Collect the victim’s keystroke logs, including both offline and online keylogging data.
• Display system messages to the victim.
• Support additional features such as reverse proxy, botkiller, hidden browser, hidden VNC, and disabling Windows Defender.

 The following image shows an example of sensitive data harvested from a victim’s device.

Figure 21 Attacker view of sensitive data stolen from a victim’s device.

Summary - This analysis investigates a phishing campaign that delivers the XWorm Remote Access Trojan (RAT) via malicious Excel attachments that exploit CVE-2018-0802.  The infection chain leverages an obfuscated HTA file to run JScript and PowerShell code.  A fileless .NET module is executed in the PowerShell.exe process to download and deploy the XWorm payload via process hollowing into Msbuild.exe.

Once executed, XWorm establishes encrypted communication with its command-and-control (C2) server using AES-encrypted packets.  The structure of both encrypted data packets and command packets is examined in the analysis.

XWorm supports extensive control commands and modular plugin architecture, enabling advanced capabilities, including data theft, system control, ransomware, and DDoS functionality.  These features highlight XWorm as a mature and highly modular threat.[1]

URLs

hxxps//retrodayaengineering[.]icu/HGG.hta
hxxps//res[.]cloudinary[.]com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg
hxxp//pub-3bc1de741f8149f49bdbafa703067f24[.]r2[.]dev/wwa.txt

C2 Server

berlin101[.]com6000

Relevant Sample SHA-256

[SNEV_VEND_026011406440.xlam]
EE663D016894D44C69B1FDC9D2A5BE02F028A56FC22B694FF7C1DACB2BBBCC6D

[optimized_MSI_lpsd9p.jpg]
3F4C3C16F63FB90D1FD64B031D8A9803035F3CB18332E198850896881FB42FE5

[HGG.hta / VA5.hta]
FD9BA9E6BD4886EDC1123D4074D0EAC363DF61162364530B1303390AA621140B

[XWorm RAT payload]
EACD8E95EAD3FFE2C225768EF6F85672C4BFDF61655ED697B97F598203EF2CF6

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

• Reporting https//www.redskyalliance.org/
• Website https//www.redskyalliance.com/
• LinkedIn https//www.linkedin.com/company/64265941 

Weekly Cyber Intelligence Briefings 
REDSHORTS - Weekly Cyber Intelligence Briefings
https//register.gotowebinar.com/register/5207428251321676122

[1] https://www.fortinet.com/blog/threat-research/deep-dive-into-new-xworm-campaign-utilizing-multiple-themed-phishing-emails/