This threat involves a malicious script delivered via email attachment, specifically a .bat file that acts as a loader for a multi-stage malware infection chain. The initial script is a modified fork of publicly available GitHub scripts designed to inject malicious code into the Chrome browser to steal data. The script uses common obfuscation techniques such as junk characters interspersed within Base64-encoded payloads, which are decoded and executed via PowerShell commands. The payload is fetched from a compromised legitimate-looking website hosting a disguised image file containing embedded malicious code. The embedded payload is extracted using custom delimiters and decoded through a process involving reversing and cleaning non-hex characters, resulting in a .NET executable. This executable implements persistence by creating a scheduled task named "Chromiumx2" that runs every minute, ensuring the malware remains active. The malware communicates with its C2 infrastructure via Telegram bot API calls, sending system information such as username, OS version, CPU, GPU, and RAM details. This malware is identified as a variant of XWorm (version 7.x), a known info-stealer that exfiltrates sensitive data. The infection chain leverages obfuscation and evasion techniques to bypass automated detection and relies on social engineering through email attachments. The attack targets Windows 10 Pro systems and requires minimal user interaction beyond opening the attachment. While no known widespread exploitation is reported, the threat is credible and medium severity due to its stealth, persistence, and data theft capabilities.

For European organizations, this malware poses a significant risk to confidentiality as it is designed to steal sensitive data through Chrome injection. The persistence mechanism ensures long-term presence on infected systems, increasing the likelihood of data exfiltration. The use of Telegram as a C2 channel complicates detection and blocking efforts due to the legitimate nature of the Telegram API. Organizations with Windows 10 Pro endpoints and Chrome browsers are particularly vulnerable. The malware could lead to credential theft, intellectual property loss, and potential lateral movement within networks. The stealthy nature and obfuscation techniques reduce the chance of early detection, increasing potential damage. Sectors with high-value data such as finance, healthcare, and government could face targeted attacks. Additionally, the infection vector via email attachments highlights the risk of phishing campaigns exploiting human factors. The medium severity rating reflects the balance between the complexity of exploitation and the potential impact on data confidentiality and operational integrity.

European organizations should implement advanced email filtering solutions capable of detecting obfuscated scripts and malicious attachments, including sandboxing and behavioral analysis. Endpoint detection and response (EDR) tools should be configured to monitor for suspicious scheduled tasks, especially those named similarly to legitimate applications (e.g., "Chromiumx2"). PowerShell logging and script block logging should be enabled to detect unusual decoding and execution patterns. Network monitoring should include filtering and anomaly detection for Telegram API traffic, particularly outbound requests to known malicious bot tokens or suspicious chat IDs. User awareness training must emphasize the risks of opening unexpected email attachments, even if they appear legitimate. Regular patching of Windows and Chrome browsers is essential to reduce exploitation of known vulnerabilities. Restricting execution of .bat files and PowerShell scripts from email attachments through application whitelisting or controlled folder access can reduce infection risk. Incident response plans should include procedures for identifying and removing XWorm infections and analyzing persistence mechanisms. Finally, organizations should maintain threat intelligence sharing with European cybersecurity communities to stay updated on evolving XWorm variants.