Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts

MITRE Techniques

• [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell is used to interpret commands, decode Base64 strings, decrypt and execute embedded payloads in memory. Quote: ‘This PowerShell command runs the script by decoding a Base64 encoded string and executing it in the memory.’
• [T1106 ] Execution Through API – The script uses .NET APIs (Assembly.Load, Invoke) to load and run decrypted .NET assemblies directly in memory. Quote: ‘Assembly.Load followed by .EntryPoint.Invoke, allowing the loader to run managed code without writing the executable to disk.’
• [T1027 ] Obfuscated Files or Information – Payloads are Base64 encoded, AES-encrypted, and compressed to bypass static detections. Quote: ‘Payloads are Base64 encoded, AES-encrypted, and compressed to bypass static detections.’
• [T1140 ] Deobfuscate/Decode Files or Information – The script decodes, decrypts and decompresses payloads from BAT file comments before execution. Quote: ‘It attempts to decode the Base64 string into a byte array…then converts it into a Unicode string…which is then executed in memory.’
• [T1055.012 ] Process Injection: .NET Assembly Injection – Decrypted .NET assemblies are loaded and executed in memory without touching disk. Quote: ‘These variants decrypt the shellcode, modify the memory protections using VirtualProtect…and then execute it using a delegate.’ (describes in-memory execution methods including .NET assembly loading)
• [T1036 ] Masquerading – Malicious content is hidden within batch files and SVG images crafted to appear benign. Quote: ‘The malicious BAT scripts…embedded in SVGs contain JavaScript that triggers the execution chain when rendered.’
• [T1053 ] Scheduled Task/Job – Persistence is established via the Windows Startup folder so BAT files execute on user login. Quote: ‘The malware achieves persistence by creating a BAT file in the Windows Startup folder.’
• [T1204 ] User Execution – Initial access depends on user actions such as opening attachments, previewing SVGs, or executing BAT files. Quote: ‘Execution depends on a user manually running the batch file.’
• [T1132 ] Data Encoding – Base64 and AES encryption are used to encode commands and payloads transmitted or embedded in files. Quote: ‘Base64 and encryption are used to encode commands or payloads.’
• [T1219 ] Remote Access Software – XWorm provides remote access/control capabilities and is used as the final RAT payload. Quote: ‘Xworm provides full remote access and control over the infected host.’
• [T1056.001 ] Input Capture: Keylogging – XWorm includes keylogging functionality to capture credentials and user input. Quote: ‘XWorm includes keylogging functionality to steal user input and credentials.’
• [T1041 ] Exfiltration Over C2 Channel – Stolen data is exfiltrated via the C2 channels used by XWorm. Quote: ‘Stolen data is exfiltrated via the same C2 channel used by Xworm.’