This threat involves a sophisticated multi-stage malware loader that leverages JScript to execute obfuscated PowerShell code, ultimately delivering two distinct malware payloads: XWorm and Rhadamanthys. The loader employs advanced obfuscation techniques including decimal encoding and complex string manipulation to evade detection and analysis. It uses geofencing logic to differentiate targets based on geographic location: victims within the United States are infected with the XWorm Remote Access Trojan (RAT), while those outside the U.S. receive the Rhadamanthys stealer malware. The final payload is injected into the legitimate Windows process RegSvcs.exe via reflective loading, a technique that allows the malware to execute in memory without touching the disk, thereby reducing forensic footprints. Post-infection, the loader performs cleanup routines to remove traces of its activity, further complicating detection and incident response efforts. XWorm is known for its capabilities including remote control, DDoS attacks, and credential theft, whereas Rhadamanthys specializes in stealing sensitive information such as cryptocurrency wallets and credentials. The attack chain’s reliance on JScript and PowerShell highlights exploitation of native Windows scripting environments, which are often trusted and less scrutinized by security controls. Indicators of compromise include specific file hashes and malicious domains hosted on blogspot.com, which are used as command and control or payload distribution points. Although no known exploits in the wild have been reported at the time of analysis, the medium severity rating reflects the malware’s potential impact and sophistication.

For European organizations, the primary risk stems from the Rhadamanthys stealer payload, as the loader’s geofencing excludes U.S. targets from receiving XWorm. Rhadamanthys’ capability to exfiltrate sensitive data, particularly cryptocurrency wallets and credentials, poses a significant threat to financial institutions, cryptocurrency exchanges, and enterprises handling sensitive personal or financial information. The use of reflective loading and multi-layer obfuscation complicates detection by traditional antivirus and endpoint detection and response (EDR) solutions, increasing the likelihood of prolonged undetected presence. This can lead to data breaches, financial loss, and reputational damage. Additionally, the malware’s use of legitimate Windows processes for payload execution can bypass application whitelisting and behavioral detection mechanisms. European organizations with remote workforces or those that rely heavily on PowerShell scripting for automation may be particularly vulnerable if security controls are not properly configured. The threat also underscores the risk of supply chain or phishing attacks that deliver JScript loaders, emphasizing the need for robust email and web security. While the direct DDoS capabilities of XWorm are less relevant for Europe due to geofencing, the data theft and espionage potential of Rhadamanthys remain critical concerns.

To mitigate this threat, European organizations should implement the following specific measures: 1) Enforce strict PowerShell logging and enable script block logging to detect obfuscated or suspicious PowerShell activity. 2) Deploy application control policies to restrict execution of JScript and PowerShell scripts from non-standard locations, especially user profile directories and temporary folders. 3) Monitor and block known malicious domains such as those identified (e.g., allhoteldirectlunk.blogspot.com, 7000linknewembes.blogspot.com) via DNS filtering and firewall rules. 4) Use endpoint detection tools capable of detecting reflective DLL injection and anomalous process behavior, focusing on legitimate Windows processes like RegSvcs.exe. 5) Harden email gateways with advanced phishing detection and sandboxing to prevent delivery of malicious JScript loaders. 6) Conduct regular threat hunting exercises focusing on indicators of compromise including the provided hashes. 7) Educate users about the risks of enabling macros or running scripts from untrusted sources. 8) Implement network segmentation to limit lateral movement if infection occurs. 9) Keep all systems and security solutions updated to leverage the latest detection signatures and heuristics. These targeted actions go beyond generic advice by focusing on the specific attack vectors and techniques used by this loader and its payloads.