Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT
Source: The Hacker News
[](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQjK1KC9p7VWWkeFycROhD4cXTkFws06lICtY2bwCh8m2G8vl20VKnurwKZGiqVLWKxZGBRREcIKUImgupySapsKegJcZjxIYuU5nmLtLBABpnxQIC0ShG0uUbiG0jfRH7IgBTj5COyPK090eD7qof5VnsI2gUG43uLkhdy3EqDCVPguAcBp7HSdASnA9Q/s1700-e365/key-malware.jpg)
Cybersecurity researchers have disclosed details of a multi‑stage malware campaign that uses batch scripts as a pathway to deliver various encrypted remote‑access‑trojan (RAT) payloads that correspond to **XWorm**, **AsyncRAT**, and **Xeno RAT**.
- XWorm → https://thehackernews.com/2025/10/xworm-60-returns-with-35-plugins-and.html
- AsyncRAT → https://thehackernews.com/2025/07/asyncrats-open-source-code-sparks-surge.html
- Xeno RAT → https://thehackernews.com/2024/02/open-source-xeno-rat-trojan-emerges-as.html
The stealthy attack chain has been codenamed **VOID#GEIST** by Securonix Threat Research.
### High‑level Overview
1. An obfuscated batch script deploys a second batch script.
2. It stages a legitimate embedded Python runtime.
3. It decrypts encrypted shellcode blobs.
4. The shellcode is injected **in‑memory** into separate instances of `explorer.exe` using **Early Bird Asynchronous Procedure Call (APC) injection** (MITRE ATT&CK T1055.004).
> “Modern malware campaigns increasingly shift from standalone executables toward complex, script‑based delivery frameworks that closely mimic legitimate user activity,” said researchers **Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee** in a technical report shared with *The Hacker News*.
[](https://thehackernews.uk/not-fast-enough-d)
> “Rather than deploying traditional PE binaries, attackers leverage modular pipelines comprising batch scripts for orchestration, PowerShell for stealthy staging, legitimate embedded runtimes for portability, and raw shellcode executed directly in memory for persistence and control.”
This **fileless execution** mechanism minimizes disk‑based detection opportunities, allowing threat actors to operate within compromised systems without triggering security alerts. Each stage appears harmless in isolation and resembles regular administrative activity.
### Initial Infection Vector
- The first batch script is fetched from a **TryCloudflare** domain and distributed via phishing emails.
- It runs under the privileges of the currently logged‑in user (no escalation).
- A decoy PDF is displayed by launching Google Chrome in full‑screen, serving as a visual distraction.
- The batch script then re‑executes itself via PowerShell using the `-WindowStyle Hidden` parameter to hide the console window.
[](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9fdseE0TzY2wP_KqPhrpB_H5zxNB7DwoN6ZGKVg2FmrVaDAGgQZcPNJ-ukwD2s0BIgFhlizMCk81DQp24XpCZLqGfm1x8mv4TjzHDbr6oFhuEPetiKRaxq1g-P9FEkdGUWAojjYrthXBkVMcb128uRoNZ1_ZSbd4XX50F8bLe7HjP9LmSxfn4DzMwxsOA/s1700-e365/sec.jpg)
### Persistence
- An auxiliary batch script is copied to the **Windows user’s Startup directory**.
- It runs automatically each time the user logs in.
- No system‑wide registry keys, scheduled tasks, or services are created, keeping the forensic footprint minimal.
> “Technically, this persistence method operates entirely within the current user’s privilege context. It does not modify system‑wide registry keys, create scheduled tasks, or install services. Instead, it relies on standard user‑level startup behavior, which requires no elevation and generates minimal security friction.” – Securonix researchers
### Second‑stage Payload Delivery
The batch script contacts the TryCloudflare domain again to download a ZIP archive containing:
| File | Description |
|------|-------------|
| **runn.py** | Python loader that decrypts and injects encrypted shellcode modules into memory |
| **new.bin** | Encrypted shellcode payload for **XWorm** |
| **xn.bin** | Encrypted shellcode payload for **Xeno RAT** |
| **pul.bin** | Encrypted shellcode payload for **AsyncRAT** |
| **a.json**, **n.json**, **p.json** | JSON files holding decryption keys used by `runn.py` |
After extraction, the attack chain **stages a legitimate embedded Python runtime** directly from `python.org`. This approach:
- Removes any dependency on a pre‑installed Python interpreter.
- Allows the malware to run even on systems without Python.
*(The rest of the original article continues beyond this point.)*Cleaned Markdown
“From the attacker’s perspective, the objectives of this stage are portability, reliability, and stealth,” Securonix said. “By embedding a legitimate interpreter into the staging directory, the malware transforms itself into a fully self‑contained execution environment capable of decrypting and injecting payload modules without relying on external system components.”
The main goal of the attack is to leverage the Python runtime to launch runn.py, which then decrypts and runs the XWorm payload using Early Bird APC injection. The malware also makes use of a legitimate Microsoft binary, AppInstallerPythonRedirector.exe, to invoke Python and launch Xeno RAT. In the last stage, the Python loader uses the same injection mechanism to launch AsyncRAT.
The infection chain culminates with the malware transmitting a minimal HTTP beacon back to attacker‑controlled C2 infrastructure hosted on TryCloudflare to confirm the digital break‑in. It’s currently not known who the targets of the attack were, nor whether any successful compromises have occurred.
“This repeated injection pattern reinforces the modular architecture of the framework. Instead of delivering a single monolithic payload, the attacker deploys components incrementally, improving flexibility and resilience,” Securonix said. “From a detection standpoint, repeated process injection into
explorer.exewithin short time windows is a strong behavioral indicator that correlates across stages of the attack.”
Stay Updated
Follow us for more exclusive content:
- Google News:
- Twitter:
- LinkedIn: