Security researchers at Securonix have uncovered a sophisticated multi-stage malware campaign dubbed VOID#GEIST that delivers three separate remote access trojans (RATs) through an elaborate infection chain designed to evade detection.
A Modular Attack Framework
Unlike traditional malware that relies on standalone executables, VOID#GEIST employs a modular pipeline comprising batch scripts for orchestration, PowerShell for stealthy staging, legitimate embedded Python runtimes for portability, and raw shellcode executed directly in memory. This fileless execution mechanism minimizes disk-based detection opportunities.
“Modern malware campaigns increasingly shift from standalone executables toward complex, script-based delivery frameworks that closely mimic legitimate user activity,” Securonix researchers explained.
Infection Chain Breakdown
Stage 1: Initial Access
The attack begins with a batch script distributed via phishing emails, fetched from a TryCloudflare domain. Upon execution, it displays a decoy PDF document (typically a financial invoice) using Google Chrome in full-screen mode while simultaneously launching hidden PowerShell commands.
Stage 2: Persistence
An auxiliary batch script is placed in the Windows user’s Startup directory, ensuring execution on every login. This approach operates entirely within user-level permissions, avoiding registry modifications or scheduled tasks that would trigger security alerts.
Stage 3: Payload Deployment
The malware fetches ZIP archives from TryCloudflare containing:
runn.py– Python-based loader for decrypting and injecting shellcodenew.bin– Encrypted XWorm payloadxn.bin– Encrypted Xeno RAT payloadpul.bin– Encrypted AsyncRAT payload- JSON key files for runtime decryption
Early Bird APC Injection Technique
A critical component of VOID#GEIST is its use of Early Bird Asynchronous Procedure Call (APC) injection (MITRE ATT&CK: T1055.004) to inject decrypted shellcode into separate instances of explorer.exe. This technique enables code execution before the target process’s entry point runs, making detection extremely difficult.
Abuse of Legitimate Runtimes
The attackers deploy a legitimate Python runtime downloaded directly from python.org, eliminating system dependencies and ensuring consistent execution across environments. Additionally, they abuse AppInstallerPythonRedirector.exe, a legitimate Microsoft binary, to invoke Python and launch Xeno RAT—a classic Living Off the Land (LOTL) technique.
Defense Recommendations
Organizations should consider the following defensive measures:
- Monitor process injection patterns – Repeated injection into explorer.exe within short time windows is a strong behavioral indicator
- Track embedded Python runtimes – Unusual Python installations outside standard directories should trigger alerts
- Block TryCloudflare abuse – Consider monitoring or restricting access to dynamic TryCloudflare domains
- Enable script logging – PowerShell ScriptBlock logging and command-line auditing can help detect obfuscated batch scripts
Indicators of Compromise
The campaign leverages TryCloudflare infrastructure for both initial delivery and command-and-control communications. Specific indicators are available in Securonix’s full technical report.
Source: The Hacker News | Securonix Threat Research
