XWorm RAT Hides in PNG Image via Steganography Attack

A SANS Internet Storm Center analysis published today reveals an attack chain that stuffs XWorm remote access trojan inside a PNG image hosted on a compromised travel website. The technique combines batch script obfuscation with steganography to slip past security tools that focus on traditional executable analysis.

Xavier Mertens, senior ISC handler, picked apart a malicious .bat file that initially looks like a Chrome encryption bypass utility—the kind of script regularly shared on GitHub for legitimate purposes. The twist sits at the end of the code: instead of cleanly exiting, the script calls an additional function that kicks off the real payload delivery.

How the Attack Works

The infection starts with an email attachment containing a batch file. Opening it triggers a convoluted execution chain:

Stage 1: The batch script contains Base64-encoded data padded with junk characters. A custom decoding routine strips non-hex characters, reverses the string, and converts it to binary—a deliberate obfuscation layer designed to confuse automated analysis.

Stage 2: The decoded payload reaches out to hxxps://uniworldrivercruises-co[.]uk/optimized_MSI.png—a file hosted on what appears to be a legitimate travel company's domain. The PNG is a real image, but embedded within it sits shellcode bracketed by BaseStart- and -BaseEnd markers.

Stage 3: A .NET loader extracts the shellcode from between those markers and executes it in memory, dropping XWorm V7.0/V7.1 onto the system.

This approach mirrors techniques we covered in the GhostPoster campaign, where attackers hid malicious JavaScript inside Firefox extension logos using similar steganographic methods.

XWorm's Growing Footprint

XWorm has become a mainstay in the malware-as-a-service market since its 2022 debut. Version 6.0 launched in June 2025 with a fully rewritten codebase and modular plugin architecture. The RAT enables attackers to:

• Log keystrokes and capture screenshots
• Steal browser credentials, cookies, and autofill data
• Hijack Discord, Telegram, and MetaMask accounts
• Deploy additional payloads or ransomware modules
• Execute remote commands including system shutdown

The malware maintains persistence by creating a scheduled task named "Chromiumx2" that executes C:\Users\admin\AppData\Roaming\Chromiumx2.exe every minute. Command-and-control communications flow through a Telegram bot API endpoint, blending malicious traffic with normal encrypted chat data.

Indicators of Compromise

Defenders should watch for these IOCs from the analyzed sample:

File Hash:

• SHA256: d99318c9b254b4fa5bf6f1dd15996dd50be0676dd84e822503fd273316eb9ba7

Network Indicators:

• Payload URL: hxxps://uniworldrivercruises-co[.]uk/optimized_MSI.png
• C2 server: hxxp://178[.]16[.]53[.]209/buildingmoney.txt
• Telegram bot endpoint with chat ID 6870183115

Persistence:

• Scheduled task: "Chromiumx2"
• Executable path: C:\Users\admin\AppData\Roaming\Chromiumx2.exe

Why Steganography Matters for Defenders

Image-based payload delivery creates blind spots in security architectures. Most endpoint detection tools scrutinize executables, scripts, and Office documents—not PNG files fetched from seemingly benign domains. The travel website used in this attack likely has a clean reputation score, allowing the download to bypass URL filtering.

This technique isn't new. Chinese threat group Worok has deployed steganography-laden PNGs in espionage operations, and APT28 recently used similar methods combined with a Microsoft Office vulnerability to target European organizations.

Organizations relying solely on signature-based detection will miss these attacks. Behavioral monitoring that flags processes decoding and executing content from image files provides better coverage.

Defensive Recommendations

Security teams should consider these mitigations:

1. Block untrusted .bat file execution through application control policies, particularly from email attachments
2. Monitor PowerShell activity for Base64 decoding combined with web requests to image files
3. Inspect scheduled task creation for suspicious persistence mechanisms
4. Deploy EDR rules that detect in-memory shellcode execution following image file downloads
5. Review outbound Telegram traffic for anomalous API calls that might indicate C2 activity

The full technical analysis is available on the SANS ISC diary. Network defenders should add the listed IOCs to their threat intelligence feeds.

For those building detection capabilities, the combination of batch script launching PowerShell, followed by PNG download and scheduled task creation, provides a reliable behavioral signature—even without knowing the specific malware variant in play.