Wednesday, May 7, 2025
HomeCyber Security NewsJailbreaking Malicious JScript Loader Reveals Xworm Payload Execution Chain

Jailbreaking Malicious JScript Loader Reveals Xworm Payload Execution Chain

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity researchers have uncovered a sophisticated JScript-to-PowerShell loader delivering XWorm RAT and Rhadamanthys Stealer through a geofenced, multi-stage execution chain.

The attack leverages obfuscation, geolocation checks, and fileless techniques to evade detection.

JScript to PowerShell loader flow
JScript to PowerShell loader flow

Attack Chain Breakdown

Stage 1: JScript Loader Activation

- Advertisement - Google News

The campaign begins with a malicious JScript file, often distributed via fake CAPTCHA “ClickFix” attacks or scheduled tasks.

It executes a PowerShell command crafted by dynamically reassembling a scrambled array of code snippets. The loader uses mshta.exe to trigger execution:

mshta.exe javascript:...<obfuscated JScript>... 

Stage 2: Geolocation-Based Payload Selection

The script queries geojs.io to determine the victim’s country:

  • U.S. Victims: Receive XWorm RAT, a .NET-based Remote Access Trojan with clipboard hijacking and DDoS capabilities.
  • Non-U.S. Victims: Get Rhadamanthys Stealer, a C++ info-stealer using AI to extract crypto wallet data from images.

This geofencing tactic reduces exposure in high-risk regions and complicates analysis.

String Manipulation

  • PowerShell commands are split into randomized arrays and rebuilt at runtime.
  • Critical payloads (e.g., $decimalString) are stored as decimal values and decoded using Convert-DecimalToText.
Decoding $decimalString reveals the next and final stage
Decoding $decimalString reveals the next and final stage

Process & File Cleanup

  • Terminates processes like mshta, wscript, and *.bat.exe.
  • Deletes residual scripts (.ps1, .lnk, .vbs) from system directories (AppData, ProgramData).
  • Creates and later removes a temporary directory: C:\ProgramData\loralylomyra.

Final Payload Injection

Fileless Execution via RegSvcs.exe

The deobfuscated loader:

  1. Reverses encoded payloads stored in variables $lora (XWorm) and $PE (loader).
  2. Converts decimal strings to executable bytes using Convert-DecimalTxtToExe.
  3. Reflectively loads the malicious code into RegSvcs.exe, a legitimate .NET utility, to avoid disk writes.
[System.Reflection.Assembly]::Load($data1) 
$Method.Invoke($null, @($path, $data2)) 
Diagram demonstrating how fileless malware is injected into RegSvcs.exe
Diagram demonstrating how fileless malware is injected into RegSvcs.exe

Why This Matters

  • Geofencing: Limits exposure to specific regions, complicating threat hunting.
  • Living-off-the-Land: Abuse of trusted tools like PowerShell and RegSvcs.exe bypasses endpoint defenses.
  • Payload Sophistication: XWorm’s clipboard hijacking and Rhadamanthys’s AI-driven image analysis highlight evolving attacker capabilities.

Indicators of Compromise (IOCs)

TypeValue
Loader SHA25670c52b2dac24420378afbb59e1f4705c8b0e521523280e29f48140a98fdd07bb
XWorm SHA256b5b4359ee5a79b06b388cebabb9fa2faabd4d920a10563947a0e5c5f94056bda
C2 Domainshxxps://get.geojs[.]io/v1/ip/geo.json (Geocheck)
Temp DirectoryC:\ProgramData\loralylomyra
  1. Block unauthorized PowerShell execution via Group Policy.
  2. Monitor process hollowing (e.g., RegSvcs.exe spawning unusual child processes).
  3. Inspect scheduled tasks for anomalous JScript or mshta.exe activity.

This loader exemplifies attackers’ increasing reliance on layered obfuscation and geographic targeting to maximize impact. Regular updates to detection rules and behavioral analytics are critical to counter such threats.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by...

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution,...

CISA Warns of Cyber Threats to Oil and Gas SCADA and ICS Networks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new alert warning critical...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by...

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution,...