VOID#GEIST Delivers XWorm and AsyncRAT via Fileless Injection

Securonix Threat Research has documented a sophisticated multi-stage malware campaign deploying XWorm, AsyncRAT, and Xeno RAT through fileless injection techniques. Tracked as VOID#GEIST, the campaign leverages obfuscated batch scripts, embedded Python runtimes, and Early Bird APC injection to evade endpoint detection.

The attack chain begins with phishing emails delivering batch scripts that orchestrate payload retrieval, persistence establishment, and memory-only execution of three different remote access trojans. By avoiding traditional file-based payload drops, VOID#GEIST slips past security tools that rely on static file scanning.

Attack Chain Breakdown

Stage 1: Initial Access Victims receive phishing emails containing obfuscated batch scripts. Upon execution, the script launches PowerShell with hidden window parameters to re-execute itself, minimizing visible indicators of compromise.

Stage 2: Persistence A secondary batch script drops into the Windows user Startup directory. This technique requires no administrative privileges, no registry modifications, and no scheduled task creation—limiting the artifacts left behind.

Stage 3: Payload Retrieval The loader fetches ZIP archives from TryCloudflare tunneled domains. These archives contain:

• runn.py - Python-based loader and decryption orchestrator
• new.bin, xn.bin, pul.bin - Encrypted shellcode blobs
• a.json, n.json, p.json - Decryption keys

TryCloudflare provides free tunneling that maps public URLs to local services, giving attackers disposable infrastructure that's difficult to block wholesale.

Stage 4: Execution The campaign deploys a legitimate Python runtime downloaded from python.org alongside Microsoft's AppInstallerPythonRedirector.exe. The Python loader decrypts shellcode blobs using keys from the JSON files, then injects payloads into separate instances of explorer.exe using Early Bird APC injection.

Early Bird injection queues malicious code before the main thread starts executing, allowing the payload to run within a trusted process context. Three sequential injections deploy XWorm, Xeno RAT, and AsyncRAT—giving operators multiple redundant access channels.

The RAT Payloads

XWorm provides keylogging, clipboard monitoring, screenshot capture, and remote shell access. It's been heavily commoditized in underground markets.

AsyncRAT offers similar capabilities with strong plugin architecture. We previously covered AsyncRAT deployment via fileless IPFS techniques, showing this RAT family's continued popularity among threat actors seeking modular post-compromise tooling.

Xeno RAT rounds out the trio with hidden desktop access, live microphone streaming, and webcam capture. Running all three gives attackers capability overlap—if defenders detect and remove one, the others maintain access.

Detection Opportunities

Securonix researchers identified several detection angles:

• Repeated process injection into explorer.exe within short time windows
• PowerShell execution with hidden window arguments from batch script parents
• Python runtime installations in user-writable directories
• Batch scripts spawning batch scripts with startup folder writes
• Network connections to TryCloudflare domains from non-browser processes

Organizations running behavioral EDR should tune rules for APC injection sequences. The Early Bird technique specifically queues APCs before ResumeThread, which some detection tools miss if they only monitor post-execution injection.

Why This Matters

VOID#GEIST exemplifies the "living off the land" philosophy taken to its logical extreme. Legitimate Python binaries, legitimate Microsoft executables, legitimate cloud infrastructure—stitched together with obfuscated scripts to deliver thoroughly illegitimate payloads.

The multi-RAT approach also signals operational maturity. Rather than betting on a single implant, the operators deploy redundant access mechanisms. If network defenders catch AsyncRAT beaconing, XWorm and Xeno RAT continue operating. It's a belt-and-suspenders approach to maintaining persistence.

The campaign's targets and operators remain unidentified. Securonix hasn't attributed VOID#GEIST to any known threat group, and successful compromises haven't been publicly confirmed. But the tradecraft sophistication suggests actors with real operational experience, not script kiddies experimenting with cracked RAT builders. Security teams should monitor for the documented TTPs regardless of whether their organization falls into any presumed target profile.