Researchers Uncover Advanced Script-Based Malware Framework
Cybersecurity analysts have uncovered a sophisticated malware operation that uses batch scripts and Python-based loaders to deploy multiple remote access trojans (RATs), including XWorm, AsyncRAT, and Xeno RAT.
The campaign, which researchers have named VOID#GEIST, relies on a multi-stage attack structure designed to remain hidden while gradually installing malware components on compromised systems.
Security experts from Securonix Threat Research say the attackers are moving away from traditional malware files and instead using script-based techniques that blend into normal system activity.
How the Malware Attack Works
The attack begins with a heavily obfuscated batch script that acts as the entry point for the infection. Once executed, it launches additional scripts and prepares the system for further stages of the attack.
The malware then:
- Loads a second batch script
- Installs a portable Python runtime environment
- Decrypts encrypted shellcode payloads
- Executes malicious code directly in memory
Instead of writing malware to disk, the attackers inject the code into explorer.exe processes using a method called Early Bird Asynchronous Procedure Call (APC) injection.
This approach allows the malware to run inside legitimate system processes, making detection more difficult.
Fileless Execution Helps Attackers Avoid Detection
Modern cyber threats increasingly rely on fileless malware techniques that avoid leaving obvious traces on a system.
In this campaign, several tools work together to maintain stealth:
- Batch scripts coordinate the attack stages
- PowerShell commands execute hidden processes
- Python scripts decrypt and launch the malware payloads
- Shellcode runs directly in memory
Because the malware operates mainly in memory rather than storing files on disk, traditional security tools may struggle to detect the attack.
Phishing Emails Used as Entry Point
The infection typically starts with phishing emails that contain links to malicious scripts hosted on TryCloudflare domains.
Once the victim launches the downloaded batch script, the malware quietly begins executing commands in the background.
To distract the user, the malware opens a fake financial document or invoice in Google Chrome running in full-screen mode. While the victim views the document, hidden scripts continue installing the malware.
Persistence Through Startup Folder
To maintain access to the infected computer, the attackers place an additional script inside the Windows Startup folder.
This ensures that the malware automatically runs every time the user logs into the system.
Unlike many advanced threats, this campaign avoids modifying system registry settings or installing services. Instead, it relies only on user-level startup behavior, which reduces the chance of triggering security alerts.
Additional Payloads Downloaded From the Internet
During later stages of the attack, the infected system connects to attacker-controlled infrastructure hosted on TryCloudflare to download additional files packaged inside ZIP archives.
These files include:
- runn.py – a Python loader responsible for decrypting malware payloads
- new.bin – encrypted shellcode containing XWorm
- xn.bin – encrypted shellcode for Xeno RAT
- pul.bin – encrypted shellcode linked to AsyncRAT
- JSON key files used to decrypt the payloads during execution
Once downloaded, the files are extracted and prepared for execution.
Embedded Python Runtime Enables Portable Malware
One of the more unusual aspects of the campaign is the use of a portable Python interpreter downloaded directly from the official Python website.
This allows the malware to operate even if Python is not installed on the victim’s system.
By embedding a legitimate runtime environment, the attackers create a self-contained execution framework capable of decrypting and launching malware without relying on the victim’s software setup.
Multiple RATs Deployed in Final Stage
After the environment is prepared, the Python loader begins launching the RAT payloads.
Each RAT is injected into memory using the same Early Bird APC injection technique.
The deployment sequence includes:
- XWorm executed through the Python loader
- Xeno RAT launched using a legitimate Microsoft binary called
AppInstallerPythonRedirector.exe - AsyncRAT deployed through another injection process
Once active, these RATs give attackers remote access to the compromised machine.
Communication With Command-and-Control Servers
After successfully installing the malware, the infected system sends a small HTTP signal back to attacker-controlled servers to confirm the compromise.
These command-and-control servers are also hosted on TryCloudflare infrastructure.
At the moment, researchers have not confirmed which organizations were targeted or how many systems may have been compromised.
Why This Attack Is Concerning
Security experts say the modular design of the attack makes it particularly effective.
Instead of delivering one large malware file, the attackers install components gradually. This step-by-step approach improves flexibility and reduces the chance of detection.
Researchers note that repeated code injection into explorer.exe processes is a strong behavioral indicator of this type of malware activity.