XwormRAT Operators Enhance Stealth by Embedding Malicious Code into Legitimate Programs

Security analysts at AhnLab Security Intelligence Center (ASEC) are sounding the alarm over a surge in phishing emails delivering XwormRAT, a remote access trojan (RAT), through advanced steganography techniques.

ASEC’s monthly “Phishing Email Trend Report” and “Infostealer Trend Report” flagged this new threat vector, which leverages image files to conceal and deploy malware payloads in ways that evade traditional security defenses.

How Attackers Conceal Malicious Code

The infection chain typically begins when a victim opens a phishing email containing an attachment or link.

The attackers use either VBScript or JavaScript, cleverly embedding malicious code into otherwise legitimate scripts so users remain unaware of the threat.

Once executed, these scripts deploy an embedded PowerShell command that serves as a downloader for the next-stage payload.

What sets this campaign apart is the use of steganography, a method of hiding code within seemingly innocuous image files.

The malicious PowerShell script provided in the phishing email is heavily obfuscated, containing Base64-encoded data interspersed with dummy characters.

During execution, these irrelevant characters are stripped out, and the legitimate Base64 data is decoded and run. This process downloads a JPG image file, which appears harmless to the user.

Stealthy Payload Extraction

Upon download, the JPG file employs steganographic techniques to conceal a . NET-based malware loader. In earlier campaigns, the loader was stored as Base64-encoded data appended between “<<BASE64_START>>” and “<<BASE64_END>>” markers at the end of the image.

The current variant is more sophisticated, and malicious content is embedded as pixel data within the bitmap portion of the JPG file. Attackers extract and decode the RGB values of selected pixels to reconstruct the .NET loader.

Once extracted, the loader executes the final stage malware, XwormRAT.

This technique complicates detection by security software, as the infected image appears genuine, and the executable code remains concealed until runtime.

The method has already been observed in the distribution of other remote access trojans, such as RemcosRAT.

Ongoing Threat and Indicators

ASEC has observed that this technique is undergoing constant modification, with new variants appearing regularly. MD5 hashes for known malicious samples include:

• 0e5ff18f30be0fcb3f3d9be61e7b1eb9
• 19399e8df23b0b98e1fe830e72888f34
• 3cbb2ad896862aa551ee3010eee75a4a
• 851460f488aca6b4da2f751f1899520e
• 992fdbc2af1ef6a9ccae4f8661096f89

Malicious infrastructure also includes URLs such as paste.ee and archive.org, among others.

User Vigilance Still Essential

ASEC warns users and organizations to exercise extreme caution when opening any unsolicited email attachments or clicking unknown links, especially those containing image files.

The evolving use of steganography in phishing campaigns underscores the importance of ongoing education, robust endpoint security, and regular updates to threat intelligence sources.

For further information and additional indicators of compromise (IOCs), users are advised to consult the AhnLab Threat Intelligence Platform.