Tax Themed Threat Delivers XWorm RAT
Researchers uncovered a tax-themed phishing campaign deploying XWorm as its ultimate payload. The attack involved downloading a malicious JavaScript file from a compromised website which fetched a PowerShell script. This script terminated processes opened a decoy PDF file injected the final payload into Msbuild.exe and RegSvcs.exe processes and added exclusions to Windows Defender. It established persistence via scheduled tasks and registry keys and disabled the Windows firewall for evasion. The final payload XWorm v5.2 is a Remote Access Trojan (RAT) which can be used for a range of malicious activity by the threat actor.