Cybersecurity researchers have uncovered a sophisticated JScript-to-PowerShell loader delivering XWorm RAT and Rhadamanthys Stealer through a geofenced, multi-stage execution chain.
The attack leverages obfuscation, geolocation checks, and fileless techniques to evade detection.
Stage 1: JScript Loader Activation
The campaign begins with a malicious JScript file, often distributed via fake CAPTCHA “ClickFix” attacks or scheduled tasks.
It executes a PowerShell command crafted by dynamically reassembling a scrambled array of code snippets. The loader uses mshta.exe to trigger execution:
mshta.exe javascript:...<obfuscated JScript>...
Stage 2: Geolocation-Based Payload Selection
The script queries geojs.io to determine the victim’s country:
This geofencing tactic reduces exposure in high-risk regions and complicates analysis.
String Manipulation
Process & File Cleanup
Fileless Execution via RegSvcs.exe
The deobfuscated loader:
[System.Reflection.Assembly]::Load($data1)
$Method.Invoke($null, @($path, $data2))
Why This Matters
Indicators of Compromise (IOCs)
Type | Value |
Loader SHA256 | 70c52b2dac24420378afbb59e1f4705c8b0e521523280e29f48140a98fdd07bb |
XWorm SHA256 | b5b4359ee5a79b06b388cebabb9fa2faabd4d920a10563947a0e5c5f94056bda |
C2 Domains | hxxps://get.geojs[.]io/v1/ip/geo.json (Geocheck) |
Temp Directory | C:\ProgramData\loralylomyra |
This loader exemplifies attackers’ increasing reliance on layered obfuscation and geographic targeting to maximize impact. Regular updates to detection rules and behavioral analytics are critical to counter such threats.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…