Unmasking Xworm Payload Execution Path through Jailbreaking a Malicious JScript Loader

Summary: Researchers are examining a sophisticated malware delivery system that utilizes a JScript loader to deploy different payloads based on the victim’s location. This mechanism uses a series of obfuscated PowerShell scripts to execute either the XWorm RAT for U.S. victims or the Rhadamanthys stealer for those located elsewhere. The attack chain features complexities such as geofencing and multi-layered obfuscation to evade detection and execution on targeted systems.

Affected: Organizations and systems at risk from tailored malware attacks

Keypoints :

• Utilizes JScript to PowerShell loader to deliver malware based on geographical location.
• XWorm RAT targets U.S. victims, while Rhadamanthys stealer is aimed at non-U.S. targets.
• Employs advanced techniques like geofencing, multi-layered obfuscation, and fileless execution to avoid detection.