XWorm RAT Delivered via Shellcode: Multi-Stage Attack Analysis

Sept. 29, 2025, 8:53 a.m.

Description

This analysis details a sophisticated multi-stage attack delivering the XWorm RAT. The campaign begins with a phishing email containing a malicious .xlam file. The file harbors embedded shellcode that, when executed, retrieves a secondary payload. This payload is a .NET binary that reflectively loads a DLL into memory. The DLL, heavily obfuscated and encrypted, injects another DLL using reflective injection. The final stage involves process injection into the main executable, establishing persistence and exfiltrating data to Command & Control servers associated with the XWorm family. The attack chain demonstrates advanced evasion techniques, including the use of shellcode, steganography, and multiple stages of reflective DLL injection.

External References

https://www.forcepoint.com/blog/x-labs/xworm-rat-shellcode-multi-stage-analysis
https://otx.alienvault.com/pulse/68da3ed188175c68ce3021fc
Tags
obfuscation
xworm
rat
phishing
steganography
shellcode
.net
multi-stage attack
reflective dll injection
2025-09-29

Date

  • Created: Sept. 29, 2025, 8:09 a.m.
  • Published: Sept. 29, 2025, 8:09 a.m.
  • Modified: Sept. 29, 2025, 8:53 a.m.

Indicators

  • 158.94.209.180
  • http://alpinreisan1.com/HGX.exe
  • http://alpinreisan1.com/HGR.exe
  • http://alpinreisan1.com/UXO.exehttp://alpinreisan1.com/HGR.exehttp://alpinreisan1.com/HGX.exe
  • http://alpinreisan1.com/UXO.exe
  • filesberlin101.com
  • alpinreisan1.com
  • berlin101.com
Download all indicators here!

Attack Patterns

  • XWorm