Full Report
Cybersecurity researchers have disclosed details of a multi-stage malware campaign that uses batch scripts as a pathway to deliver various encrypted remote access trojan (RATs) payloads that correspond to XWorm, AsyncRAT, and Xeno RAT. The stealthy attack chain has been codenamed VOID#GEIST by Securonix Threat Research. At a high level, the obfuscated batch script is used to deploy a second
Analysis Summary
# Tool/Technique: VOID#GEIST
## Overview
VOID#GEIST is a sophisticated, multi-stage malware delivery framework identified by Securonix Threat Research. It utilizes highly obfuscated batch scripts and legitimate embedded Python runtimes to deliver various encrypted Remote Access Trojans (RATs). The campaign is characterized by its fileless execution, use of "Living off the Land" (LotL) techniques, and a focus on staying within user-mode privileges to avoid triggering system-level security alerts.
## Technical Details
- **Type:** Malware Delivery Framework / Loader
- **Platform:** Windows
- **Capabilities:** Persistence, Shellcode Decryption, In-Memory Injection, Evasion, Multi-payload delivery.
- **First Seen:** Disclosed March 2026 (Securonix report).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.001 - Phishing: Spearphishing Attachment
- **TA0002 - Execution**
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1204.002 - User Execution: Malicious File
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1140 - Deinterlace/Decode Files or Information
- T1055.004 - Process Injection: Asynchronous Procedure Call (APC) Injection
- T1564.003 - Hide Artifacts: Hidden Window
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer
## Functionality
### Core Capabilities
- **Modular Pipeline:** Uses batch scripts for orchestration and PowerShell for stealthy staging of the attack.
- **Legitimate Runtime Usage:** Downloads and utilizes a portable Python runtime from the official `python[.]org` website to execute its loader script (`runn.py`), ensuring compatibility and reducing the footprint.
- **Multi-Payload Delivery:** Capable of delivering and managing three distinct RAT families: XWorm, AsyncRAT, and Xeno RAT.
- **In-Memory Execution:** Decrypts shellcode blobs (`new.bin`, `xn.bin`, `pul.bin`) and executes them directly in memory.
### Advanced Features
- **Early Bird APC Injection:** Injects shellcode into separate instances of `explorer.exe` using Asynchronous Procedure Calls, a technique that executes code before the main thread of the process starts, often bypassing certain security hooks.
- **Low-Privilege Operations:** Consciously avoids privilege escalation to minimize forensic footprints and avoid triggering UAC prompts or registry-monitoring alerts.
- **TryCloudflare Tunneling:** Utilizes Cloudflare’s infrastructure to host and serve malicious components, making C2 traffic look like legitimate web service traffic.
## Indicators of Compromise
- **File Names:**
- `runn.py` (Python loader)
- `new.bin` (XWorm payload)
- `xn.bin` (Xeno RAT payload)
- `pul.bin` (AsyncRAT payload)
- `a.json`, `n.json`, `p.json` (Decryption keys)
- **Network Indicators:**
- `trycloudflare[.]com` (Subdomains used for staging)
- `python[.]org` (Used to fetch legitimate runtime)
- **Behavioral Indicators:**
- `google chrome` launched in full-screen as a decoy.
- `PowerShell` executed with `-WindowStyle Hidden`.
- Batch scripts appearing in the `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup` directory.
- Unexpected instances of `explorer.exe` spawned as hosts for shellcode injection.
## Associated Threat Actors
- **VOID#GEIST:** (The specific cluster of activity identified by Securonix; currently no public attribution to a known state-sponsored group).
## Detection Methods
- **Behavioral Detection:** Monitoring for hidden PowerShell windows and the execution of Python scripts from non-standard or temporary directories.
- **Process Monitoring:** Tracking "Early Bird" APC injection attempts into `explorer.exe`.
- **Integrity Checks:** Monitoring the Windows Startup folder for unauthorized batch files.
- **Network Defense:** Analyzing traffic to `trycloudflare[.]com` subdomains for high-volume zip file downloads or unusual connectivity patterns.
## Mitigation Strategies
- **Scripting Restrictions:** Disable Command Prompt (`cmd.exe`) and PowerShell for standard users where not required by business needs.
- **Application Whitelisting:** Prevent the execution of unauthorized Python runtimes or scripts from user-writable directories (e.g., `%TEMP%`, `%APPDATA%`).
- **Phishing Defense:** Implement robust email filtering to block macro-enabled or malicious batch script attachments.
- **EDR Tuning:** Configure Endpoint Detection and Response tools to alert on APC injection techniques and parent-child process anomalies (e.g., Batch initiating a Python runtime).
## Related Tools/Techniques
- **Malware Families:** XWorm, AsyncRAT, Xeno RAT.
- **Techniques:** Living off the Land (LotL), Fileless Malware execution.
- **Services:** Cloudflare Tunnels (TryCloudflare).