Multi-Stage VOID#GEIST Malware Delivers XWorm, AsyncRAT, and Xeno RAT Payloads
Cybersecurity researchers have revealed a sophisticated multi-stage malware campaign utilizing batch scripts to deliver various encrypted remote access trojan (RAT) payloads, including XWorm, AsyncRAT, and Xeno RAT. This stealthy attack chain has been designated as VOID#GEIST by Securonix Threat Research.
Overview of the Attack Mechanism
The initial phase of the attack employs an obfuscated batch script that orchestrates the deployment of a second batch script, stages a legitimate embedded Python runtime, and decrypts encrypted shellcode blobs. This shellcode is executed directly in memory by injecting it into separate instances of “explorer.exe” using a technique known as Early Bird Asynchronous Procedure Call (APC) injection.
Researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee noted that modern malware campaigns are increasingly moving away from standalone executables. Instead, they are adopting complex, script-based delivery frameworks that closely mimic legitimate user activity.
Fileless Execution and Stealth
The fileless execution mechanism employed in this attack minimizes opportunities for disk-based detection, allowing threat actors to operate within compromised systems without triggering security alerts. Each stage of the attack appears harmless in isolation, resembling regular administrative tasks.
The attack begins with a batch script retrieved from a TryCloudflare domain and distributed via phishing emails. Once executed, it avoids privilege escalation and leverages the permissions of the currently logged-in user to establish an initial foothold, blending into seemingly innocuous administrative operations.
The initial stage serves as a launchpad, displaying a decoy PDF by launching Google Chrome in full-screen mode. This financial document or invoice acts as a distraction, concealing the underlying activities, which include executing a PowerShell command to re-execute the original batch script with the -WindowStyle Hidden parameter to avoid displaying a console window.
Persistence Mechanisms
To ensure persistence across system reboots, an auxiliary batch script is placed in the Windows user’s Startup directory, ensuring it runs automatically upon user login. This method is designed to minimize the forensic footprint, operating entirely within the current user’s privilege context without modifying system-wide registry keys or creating scheduled tasks.
The researchers emphasized that this design choice reduces the likelihood of triggering privilege escalation prompts or registry-monitoring alerts.
Payload Delivery and Execution
The next phase of the attack involves the malware reaching out to a TryCloudflare domain to fetch additional payloads in ZIP archives containing multiple files:
- runn.py: A Python-based loader script responsible for decrypting and injecting encrypted shellcode payload modules into memory.
- new.bin: An encrypted shellcode payload corresponding to XWorm.
- xn.bin: An encrypted shellcode payload corresponding to Xeno RAT.
- pul.bin: An encrypted shellcode payload corresponding to AsyncRAT.
- a.json, n.json, p.json: Key files containing the decryption keys required by the Python loader to dynamically decrypt the shellcode at runtime.
Once extracted, the attack sequence deploys a legitimate embedded Python runtime directly from python[.]org. This step eliminates dependency on the system, allowing the malware to function even if Python is not installed on the infected endpoint.
Objectives of the Attack
The primary goal of this stage is to leverage the Python runtime to launch “runn.py,” which decrypts and executes the XWorm payload using Early Bird APC injection. The malware also utilizes a legitimate Microsoft binary, “AppInstallerPythonRedirector.exe,” to invoke Python and launch Xeno RAT. In the final stage, the Python loader employs the same injection mechanism to launch AsyncRAT.
The infection chain culminates in the malware transmitting a minimal HTTP beacon back to attacker-controlled command and control (C2) infrastructure hosted on TryCloudflare, confirming the digital breach. The specific targets of the attack and any successful compromises remain unknown.
The researchers highlighted that this repeated injection pattern reinforces the modular architecture of the framework. Instead of delivering a single monolithic payload, the attacker deploys components incrementally, enhancing flexibility and resilience. From a detection perspective, repeated process injection into explorer.exe within short time frames serves as a strong behavioral indicator correlating across various stages of the attack.
For further details, refer to the report on thehackernews.com.
