Cybersecurity researchers have uncovered a sophisticated JScript-to-PowerShell loader delivering XWorm RAT and Rhadamanthys Stealer through a geofenced, multi-stage execution chain.
The attack leverages obfuscation, geolocation checks, and fileless techniques to evade detection.
Stage 1: JScript Loader Activation
The campaign begins with a malicious JScript file, often distributed via fake CAPTCHA “ClickFix” attacks or scheduled tasks.
It executes a PowerShell command crafted by dynamically reassembling a scrambled array of code snippets. The loader uses mshta.exe to trigger execution:
mshta.exe javascript:...<obfuscated JScript>...
Stage 2: Geolocation-Based Payload Selection
The script queries geojs.io to determine the victim’s country:
This geofencing tactic reduces exposure in high-risk regions and complicates analysis.
String Manipulation
Process & File Cleanup
Fileless Execution via RegSvcs.exe
The deobfuscated loader:
[System.Reflection.Assembly]::Load($data1)
$Method.Invoke($null, @($path, $data2))
Why This Matters
Indicators of Compromise (IOCs)
Type | Value |
Loader SHA256 | 70c52b2dac24420378afbb59e1f4705c8b0e521523280e29f48140a98fdd07bb |
XWorm SHA256 | b5b4359ee5a79b06b388cebabb9fa2faabd4d920a10563947a0e5c5f94056bda |
C2 Domains | hxxps://get.geojs[.]io/v1/ip/geo.json (Geocheck) |
Temp Directory | C:\ProgramData\loralylomyra |
This loader exemplifies attackers’ increasing reliance on layered obfuscation and geographic targeting to maximize impact. Regular updates to detection rules and behavioral analytics are critical to counter such threats.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…
The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…
SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…
F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…
The healthcare sector has emerged as a prime target for cyber attackers, driven by the…
Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…