JScript to PowerShell: Breaking Down a Loader Delivering XWorm and Rhadamanthys

April 16, 2025, 1:21 p.m.

Description

This analysis examines a sophisticated malware loader that utilizes JScript to launch obfuscated PowerShell code, ultimately delivering payloads such as XWorm and Rhadamanthys. The loader employs geofencing tactics, targeting victims in the United States with XWorm RAT, while deploying Rhadamanthys stealer to users outside the U.S. The attack chain involves multiple stages of obfuscation and deobfuscation, including decimal encoding and string manipulation. The final payload is injected into RegSvcs.exe using reflective loading techniques. The loader also performs various cleanup actions to evade detection and remove traces of its activity. Both XWorm and Rhadamanthys are advanced malware variants with capabilities ranging from DDoS attacks to cryptocurrency theft.

Date

  • Created: April 16, 2025, 5:57 a.m.
  • Published: April 16, 2025, 5:57 a.m.
  • Modified: April 16, 2025, 1:21 p.m.

Indicators

  • ba259ee618d3514db28b407a9aad22347f3473f2539153cdadb407f5c59745a1
  • 86.54.42.215
  • 7000linknewembes.blogspot.com
  • allhoteldirectlunk.blogspot.com

Attack Patterns

Additional Informations

  • United States of America