Cybersecurity researchers have uncovered a sophisticated JScript-to-PowerShell loader delivering XWorm RAT and Rhadamanthys Stealer through a geofenced, multi-stage execution chain.
The attack leverages obfuscation, geolocation checks, and fileless techniques to evade detection.
Attack Chain Breakdown
Stage 1: JScript Loader Activation
.png
)
The campaign begins with a malicious JScript file, often distributed via fake CAPTCHA “ClickFix” attacks or scheduled tasks.
It executes a PowerShell command crafted by dynamically reassembling a scrambled array of code snippets. The loader uses mshta.exe to trigger execution:
mshta.exe javascript:...<obfuscated JScript>... Stage 2: Geolocation-Based Payload Selection
The script queries geojs.io to determine the victim’s country:
- U.S. Victims: Receive XWorm RAT, a .NET-based Remote Access Trojan with clipboard hijacking and DDoS capabilities.
- Non-U.S. Victims: Get Rhadamanthys Stealer, a C++ info-stealer using AI to extract crypto wallet data from images.
This geofencing tactic reduces exposure in high-risk regions and complicates analysis.
String Manipulation
- PowerShell commands are split into randomized arrays and rebuilt at runtime.
- Critical payloads (e.g., $decimalString) are stored as decimal values and decoded using Convert-DecimalToText.
Process & File Cleanup
- Terminates processes like mshta, wscript, and *.bat.exe.
- Deletes residual scripts (.ps1, .lnk, .vbs) from system directories (AppData, ProgramData).
- Creates and later removes a temporary directory: C:\ProgramData\loralylomyra.
Final Payload Injection
Fileless Execution via RegSvcs.exe
The deobfuscated loader:
- Reverses encoded payloads stored in variables $lora (XWorm) and $PE (loader).
- Converts decimal strings to executable bytes using Convert-DecimalTxtToExe.
- Reflectively loads the malicious code into RegSvcs.exe, a legitimate .NET utility, to avoid disk writes.
[System.Reflection.Assembly]::Load($data1) $Method.Invoke($null, @($path, $data2)) 
Why This Matters
- Geofencing: Limits exposure to specific regions, complicating threat hunting.
- Living-off-the-Land: Abuse of trusted tools like PowerShell and RegSvcs.exe bypasses endpoint defenses.
- Payload Sophistication: XWorm’s clipboard hijacking and Rhadamanthys’s AI-driven image analysis highlight evolving attacker capabilities.
Indicators of Compromise (IOCs)
| Type | Value |
| Loader SHA256 | 70c52b2dac24420378afbb59e1f4705c8b0e521523280e29f48140a98fdd07bb |
| XWorm SHA256 | b5b4359ee5a79b06b388cebabb9fa2faabd4d920a10563947a0e5c5f94056bda |
| C2 Domains | hxxps://get.geojs[.]io/v1/ip/geo.json (Geocheck) |
| Temp Directory | C:\ProgramData\loralylomyra |
- Block unauthorized PowerShell execution via Group Policy.
- Monitor process hollowing (e.g., RegSvcs.exe spawning unusual child processes).
- Inspect scheduled tasks for anomalous JScript or mshta.exe activity.
This loader exemplifies attackers’ increasing reliance on layered obfuscation and geographic targeting to maximize impact. Regular updates to detection rules and behavioral analytics are critical to counter such threats.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
