Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT
Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT
https://thehackernews.com/2026/03/multi-stage-voidgeist-malware.html
Publish Date: 2026-03-06 09:33:00
Source Domain: thehackernews.com
Cybersecurity researchers have disclosed details of a multi-stage malware campaign that uses batch scripts as a pathway to deliver various encrypted remote access trojan (RATs) payloads that correspond to XWorm, AsyncRAT, and Xeno RAT.
The stealthy attack chain has been codenamed VOID#GEIST by Securonix Threat Research.
At a high level, the obfuscated batch script is used to deploy a second batch script, stage a legitimate embedded Python runtime, and decrypt encrypted shellcode blobs, which are executed directly in memory by injecting them into separate instances of “explorer.exe” using a technique called Early Bird Asynchronous Procedure Call (APC) injection.
“Modern malware campaigns increasingly shift from standalone executables toward complex, script-based delivery frameworks that closely mimic legitimate user activity,” researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a technical report shared with The Hacker News.
“Rather than deploying traditional PE binaries, attackers leverage modular pipelines comprising batch scripts for orchestration, PowerShell for stealthy staging, legitimate embedded runtimes for portability, and raw shellcode executed directly in memory for persistence and control.”
This fileless execution mechanism minimizes disk-based detection opportunities, thereby allowing the threat actors to operate within compromised systems without triggering security alerts. What’s more, the approach offers an extra advantage in that these individual stages appear harmless in isolation and resemble regular administrative activity.
The starting point of the attack is a batch script that’s fetched from a TryCloudflare domain and distributed via phishing emails. Once launched, it deliberately avoids taking steps to escalate privileges and leverages the permission rights of the currently logged-in user to establish an initial foothold, while blending into seemingly innocuous administrative operations.
The initial stage serves as…
