Major Cyber Attacks in November 2025: XWorm, JSGuLdr Loader, Phoenix Backdoor, Mobile Threats, and More

ANY.RUN analysts reviewed November activity dominated by multi-stage loaders, stealers, and targeted campaigns that used PNG-based in-memory loaders and a JScript-to-PowerShell chain. Sandbox analyses and three Threat Intelligence Reports detailed threats across Windows, Linux, and Android, revealing execution flows, persistence artifacts, and IOCs SOC teams can use to strengthen detections before the next wave arrives. #XWorm #PhantomStealer

Keypoints

Multiple campaigns in November used multi-stage loaders that transition from JavaScript to PowerShell and then to in-memory .NET assembly execution to minimize disk footprints.
XWorm employed PNG files as encrypted containers and an AES-backed two-stage PowerShell loader to execute a .NET assembly directly in memory.
JSGuLdr is a three-stage loader that leverages fake Authenticode signing, COM-based execution to mask PowerShell launches, cloud-hosted payloads (Google Drive), and process injection to deliver PhantomStealer.
Three Threat Intelligence Reports covered diverse threats across platforms: Windows hijackers and backdoors (PDFChampions, Phoenix, NonEuclid), Go-based Linux ransomware (Monkey), and Android RAT/MaaS families (BTMOB, Valkyrie).
Detection points highlighted include mutex names (e.g., “Champion”), unique file paths and filenames (e.g., Valkyrie.zip, sysProcUpdate.exe), .onion C2 endpoints, and distinctive configuration files (BTConfig.xml).
ANY.RUN sandboxing and TI Lookup queries are recommended to surface hidden execution paths, shorten investigations, and enrich detections with behavioral indicators and pivotable IOCs.

MITRE Techniques

[T1566.001 ] Phishing: Spearphishing Attachment – Phishing pages and emails delivered a JavaScript dropper to start the chain (‘delivering a JavaScript dropper named PurchaseOrder_25005092.js’).
[T1027 ] Obfuscated Files or Information – Attackers used heavy obfuscation in JavaScript, batch scripts, and PowerShell to evade inspection (‘a heavily obfuscated JavaScript installer’; ‘Kile.cmd: A heavily obfuscated batch script’).
[T1027.013 ] Embedded Payloads – Payloads were embedded and stored as Base64-encoded, AES-encrypted blobs inside files masquerading as images (‘Vile.png: Not an image but a Base64-encoded and AES-encrypted payload’).
[T1036.008 ] Masquerading: Match Legitimate Extension or Filename – Files used the .png extension to appear harmless and evade quick reviews (‘Attackers deliberately use the “.png” extension … to make the files look harmless’).
[T1059 ] Command and Scripting Interpreter – JavaScript reconstructed PowerShell commands and launched PowerShell to execute staged instructions (‘the JavaScript dropper reconstructs readable commands … and launches a PowerShell payload’).
[T1620 ] Reflective Code Loading – Loaders attempted to execute .NET assemblies directly from memory without writing conventional executables to disk (‘attempts to execute the resulting .NET assembly directly from memory’).
[T1553.006 ] Subvert Trust Controls: Code Signing – An obfuscated JScript was signed with a fake Authenticode certificate to appear trustworthy (‘an obfuscated JScript file signed with a fake Authenticode certificate’).
[T1559.001 ] Inter-Process Communication: Component Object Model (COM) – COM and Shell.Application were used to launch powershell.exe under explorer.exe to mask activity (‘Shell.Application and Explorer COM interaction, which launches powershell.exe under explorer.exe’).
[T1218 ] Signed Binary Proxy Execution – Legitimate system binaries (e.g., powershell.exe, msiexec.exe) were used to host or execute malicious code, hiding malicious behavior under trusted processes (‘powershell.exe → msiexec.exe’ execution chain).
[T1218.007 ] Msiexec (Signed Binary Proxy Execution) – Final payloads were injected into msiexec.exe to run under a trusted Windows process (‘PhantomStealer, is then injected into msiexec.exe’).
[T1105 ] Ingress Tool Transfer – Payloads and encrypted containers were downloaded from cloud services such as Google Drive (‘downloads an encrypted payload from Google Drive using a WebClient request’).
[T1074.001 ] Local Data Staging – Encrypted payload containers were stored on disk as staging files (e.g., %APPDATA%Autorise131.Tel) prior to in-memory loading (‘stored as %APPDATA%Autorise131.Tel, used as the on-disk container for the next stage’).
[T1055 ] Process Injection – Stealers and loaders used process injection to run under other processes and evade detection (‘injected into msiexec.exe’ and references to process injection behavior across samples).

Indicators of Compromise

[URL ] download and C2 – hxxps://drive[.]google[.]com/uc?export=download&id=1gUB_fKBej5Va_l3ZSEXk_7r5Q4EeJuwd (cloud-hosted payload), and .onion C2 endpoint used by Efimer (.onion/route.php).
[File Path / Filename ] staged containers and dropper artifacts – C:UsersPUBLICVile.png, C:UsersPUBLICMands.png (encrypted payload containers), %APPDATA%Registreri62, %APPDATA%Autorise131.Tel, and other staged files (and several more staging paths referenced).
[Mutex ] behavioral detection flag – ‘Champion’ mutex associated with PDFChampions – indicates activity via the mutex ‘Champion’.
[Registry / Persistence ] registry and persisted binaries – registryValue:’sysProcUpdate.exe’ used by Phoenix for persistence and dropped binary sysProcUpdate.exe used for injection.
[Android file ] mobile configuration indicator – /data/data/*/shared_prefs/BTConfig.xml referenced for BTMOB RAT configuration and detection.
[File pattern / Dropper name ] campaign-specific filenames – C:UsersadminAppDataLocalTempValkyrie.zip (Valkyrie data staging), C:Windows864ac8 (Sfuzuan TXT drop), and filename pattern ‘Orcamento-2025*’ used by the WhatsApp-propagating campaign.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print