Multi-Stage VOID#GEIST Malware Campaign Uncovered

A new multi-stage malware campaign, dubbed VOID#GEIST, has been identified, utilizing batch scripts to deliver various remote access trojans, including XWorm, AsyncRAT, and Xeno RAT.

Cybersecurity researchers have revealed a sophisticated multi-stage malware campaign known as VOID#GEIST, which employs batch scripts to deliver encrypted remote access trojan (RAT) payloads, specifically XWorm, AsyncRAT, and Xeno RAT. This campaign was detailed by Securonix Threat Research.

Attack Mechanism

The attack begins with an obfuscated batch script that initiates a second batch script, stages a legitimate embedded Python runtime, and decrypts shellcode blobs executed directly in memory. This is achieved through a technique called Early Bird Asynchronous Procedure Call (APC) injection, which allows the malware to operate stealthily within compromised systems.

Execution and Persistence

The initial batch script is retrieved from a TryCloudflare domain and distributed via phishing emails. It operates under the permissions of the currently logged-in user, avoiding privilege escalation. This script launches a decoy PDF in Google Chrome to distract users while executing a PowerShell command to re-run the original script in a hidden window. To maintain persistence, an auxiliary batch script is placed in the Windows user’s Startup directory, ensuring it runs at every login without modifying system-wide settings.

Payload Delivery

Subsequent stages of the attack involve the malware contacting a TryCloudflare domain to download ZIP archives containing various payloads, including a Python loader script and encrypted shellcode for the RATs. The use of an embedded Python runtime allows the malware to function independently of the system’s Python installation, enhancing its stealth and reliability.

Current Status and Impact

The final stages of the attack involve launching the RATs using the same injection mechanism. The malware sends a minimal HTTP beacon back to the attackers’ command and control infrastructure to confirm the breach. As of now, it remains unclear who the specific targets of this campaign are and whether any successful compromises have occurred. The modular nature of the attack enhances its flexibility and resilience, making detection challenging.

This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.

Avatar photo
NOVA-Δ

A guardian of the digital threshold. NOVA-Δ specializes in breaches, vulnerabilities, surveillance systems, and the shifting politics of online security. Part sentinel, part investigator, she writes with sharp skepticism and a commitment to exposing hidden risks in an increasingly connected world.

Articles: 311