This malware campaign represents a sophisticated multi-stage attack leveraging a combination of obfuscated BAT scripts, PowerShell loaders, and unconventional file formats such as SVGs to deliver Remote Access Trojans (RATs) namely XWorm and Remcos. The initial infection vector involves a ZIP archive, often hosted on trusted content delivery networks (CDNs) like ImgKit, containing obfuscated BAT scripts. These BAT scripts execute PowerShell-based loaders that perform in-memory injection of RAT payloads, enabling fileless execution which significantly complicates detection by traditional antivirus solutions. The use of SVG files embedded with JavaScript as a trigger mechanism is particularly notable, as it exploits non-traditional file types to evade signature-based detection and sandbox analysis. The attack chain includes multiple stages: initial execution of obfuscated BAT scripts, PowerShell loader invocation, decryption and deployment of RAT payloads directly into memory, and establishment of persistence mechanisms to maintain long-term access. The RATs involved, XWorm and Remcos, are capable of extensive remote control, including keylogging, credential theft, screen capture, and lateral movement within networks. The campaign employs various evasion techniques such as script obfuscation, fileless execution, and use of trusted hosting platforms to bypass security controls. The attack techniques correspond to MITRE ATT&CK tactics and techniques including T1056.001 (Input Capture: Keylogging), T1053 (Scheduled Task/Job), T1106 (Execution through API), T1140 (Deobfuscate/Decode Files or Information), T1219 (Remote Access Tools), T1036 (Masquerading), T1204 (User Execution), T1041 (Exfiltration Over C2 Channel), T1059.001 (PowerShell), T1055.012 (Process Injection), T1027 (Obfuscated Files or Information), and T1132 (Data Encoding). This evolving threat landscape underscores the need for advanced detection capabilities focusing on behavioral analysis, script inspection, and memory forensics to counter such sophisticated, fileless malware campaigns.

For European organizations, this campaign poses a significant risk due to the stealthy nature of the infection and the powerful capabilities of the RAT payloads. The fileless execution and use of trusted CDNs for hosting malicious archives increase the likelihood of successful infiltration, especially via phishing emails containing SVG attachments or ZIP archives. Once infected, organizations may face data breaches, intellectual property theft, espionage, and operational disruption. The persistence mechanisms enable attackers to maintain long-term access, facilitating lateral movement and further compromise of critical infrastructure. Sensitive sectors such as finance, government, healthcare, and critical manufacturing in Europe could be targeted for espionage or sabotage. The use of obfuscated scripts and non-traditional file formats complicates detection and response efforts, potentially leading to prolonged dwell time and increased damage. Additionally, the campaign’s evasion techniques may bypass conventional endpoint protection platforms widely deployed in European enterprises, necessitating enhanced security monitoring and incident response capabilities.

1. Implement advanced email filtering solutions capable of detecting and blocking phishing emails with suspicious attachments, including SVG and ZIP files containing scripts. 2. Deploy endpoint detection and response (EDR) solutions with behavioral analytics to identify fileless execution patterns, PowerShell abuse, and process injection activities. 3. Enforce strict execution policies for PowerShell, including constrained language mode and logging of all script executions with centralized monitoring. 4. Block or restrict execution of BAT scripts and scripts downloaded from untrusted or external sources, especially those delivered via email attachments. 5. Utilize network security controls to monitor and restrict outbound connections to known malicious domains and CDNs used for hosting malicious payloads. 6. Conduct regular user awareness training focusing on phishing and social engineering tactics, emphasizing the risks of opening unexpected attachments or links. 7. Employ application whitelisting to prevent unauthorized script execution and use of non-standard file formats for code execution. 8. Maintain up-to-date threat intelligence feeds and integrate indicators of compromise (IOCs) such as hashes provided in this campaign to enhance detection capabilities. 9. Perform regular memory forensics and threat hunting exercises to identify signs of in-memory RAT execution and persistence mechanisms. 10. Implement multi-factor authentication and network segmentation to limit lateral movement in case of compromise.