Jailbroken JScript Loader Reveals Execution Path of Xworm Payload

A multi-stage malware campaign leveraging JScript and obfuscated PowerShell scripts has been observed delivering either XWorm RAT or Rhadamanthys stealer based on the victim’s geolocation.

The attack chain, analyzed by researcher Andrew Petrus, employs geofencing, fileless execution, and process injection to evade detection.

Attack Flow Overview

The loader begins with a JScript file, often distributed via scheduled tasks or ClickFix fake CAPTCHA campaigns.

The script dynamically constructs a PowerShell command by reassembling randomly ordered array elements.

This technique complicates static analysis, as the full command is only visible during runtime.

Key stages include:

1. Geolocation Check: A request to hxxps://get.geojs.io/v1/ip/geo.json determines the victim’s country.
2. Payload Selection:
   • US victims receive XWorm RAT, a .NET-based remote access trojan with clipboard hijacking and DDoS capabilities.
   • Non-US victims receive Rhadamanthys, a C++ info-stealer using AI to extract cryptocurrency seed phrases from images.
3. Environment Hardening: The script kills processes (e.g., mshta, wscript) and deletes temporary files (*.bat, *.ps1) to hinder analysis.
4. Obfuscated Payload Execution: Decimal-encoded strings are converted to executable code using a custom Convert-DecimalToText function, with final payloads reflectively loaded into RegSvcs.exe.

Technical Evasion Tactics

• Process Injection: The malicious loader uses PowerShell reflection to inject decrypted payloads into RegSvcs.exe, a legitimate .NET utility, enabling fileless execution.
• Directory Manipulation: A transient directory (C:\ProgramData\loralylomyra) is created to stage payloads, which is promptly deleted post-execution.
• String Reversal: Critical variables like $lora (payload) and $PE (loader) store data in reverse order, requiring deobfuscation before execution.

Payload Analysis

Malware	Target Region	Language	Capabilities
XWorm RAT	United States	.NET	Remote access, clipboard hijacking, DDoS attacks
Rhadamanthys	Non-US	C++	Credential theft, AI-driven seed phrase extraction, cryptocurrency wallet targeting

Indicators of Compromise (IOCs)

• Loader Script Hash: 70c52b2dac24420378afbb59e1f4705c8b0e521523280e29f48140a98fdd07bb
• XWorm Sample: b5b4359ee5a79b06b388cebabb9fa2faabd4d920a10563947a0e5c5f94056bda
• Network Activity: HTTP requests to get.geojs.io and payload hosting domains (e.g., imgbox.com).

This campaign highlights attackers’ increasing reliance on geofencing and layered obfuscation to maximize impact while minimizing exposure.

Defenders should monitor PowerShell activity, restrict unnecessary process injections, and analyze anomalous network traffic to API-based geolocation services.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates