Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts

Sept. 11, 2025, 5:44 p.m.

Description

A sophisticated malware campaign has been uncovered that utilizes various techniques to deliver Remote Access Trojans (RATs) such as XWorm and Remcos. The attack chain begins with a ZIP archive, often hosted on trusted platforms like ImgKit, containing obfuscated BAT scripts. These scripts execute PowerShell-based loaders that inject RAT payloads directly into memory, enabling fileless execution. The campaign also employs SVG files with embedded JavaScript to trigger the malware download, exploiting non-traditional file formats to evade detection. The infection process involves multiple stages, including persistence mechanisms, PowerShell script execution, and the use of loaders to decrypt and deploy the final payload. This evolving threat landscape highlights the need for advanced security measures to counter such sophisticated attacks.

External References

https://www.seqrite.com/blog/xworm-remcos-bat-svg-malware-analysis
https://otx.alienvault.com/pulse/68c2fb90807873db05fc63c6
Tags
obfuscation
xworm
rat
phishing
powershell
remcos
evasion techniques
bat scripts
svg
fileless execution
2025-09-11

Date

  • Created: Sept. 11, 2025, 4:40 p.m.
  • Published: Sept. 11, 2025, 4:40 p.m.
  • Modified: Sept. 11, 2025, 5:44 p.m.

Indicators

  • e950e432d247a5946c86e519f0a115649792991711220af2793193132a6e2d95
  • d5fd45cdf170b6dd603e6f4e94768d575119b6520c3a0b5ce22ca679abeb1c7f
Download all indicators here!

Attack Patterns