Users deceived into downloading Xworm Remote Access Trojan (RAT) via weaponized ScreenConnect Remote Management (RMM) tool.
In a recent cybersecurity incident, adversaries have been found to co-opt trusted tools and AI branding in an attempt to bypass automated defenses. This latest campaign, uncovered by the SpiderLabs team, involved the use of the legitimate remote management tool, ScreenConnect, to deploy the Xworm Remote Access Trojan (RAT).
The operation began with social engineering lures masquerading as AI video files. Victims were enticed to visit a fake AI website, "gptgrok[.]ai," which redirected to "anhemvn6[.]com." Once on these sites, users were tricked into downloading files named after AI companies, such as "Creation_Made_By_GrokAI.mp4 Grok.com" or "Creation_Made_By_GoogleAI.mp4 Google.com." In reality, these files were the ScreenConnect.ClientSetup.msi installer.
As adversaries refine their tradecraft, they are leveraging code-signing manipulation, fileless execution, and legitimate management platforms. In this case, the attackers manipulated Authenticode Microsoft code-signing certificates to embed malicious configurations within the digital signature of the legitimate ScreenConnect binary.
During the remote access session, the attackers deployed a batch script, "X-META Firebase_crypted.bat," triggering mshta.exe to launch another hidden batch file. The threat actors then used msedge.exe and chrome.exe process hollowing-injecting Base64-encoded Python commands fetched directly from a public GitHub repository.
The investigation highlighted the growing trend of attackers using WMI queries to gather operating system and antivirus details. Persistence was established by creating a Run key in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run named "Windows Security," pointing to a "backup.bat" script in "C:\xmetavip."
One final payload script, "Exppiyt.txt," embedded a command-and-control server IP (5[.]181[.]165[.]102:7705) that was not flagged as malicious on VirusTotal at the time of analysis. The organization behind the GitHub repository containing the obfuscated Python scripts used by attackers to activate the Xworm RAT is linked to the DPRK (North Korea), as identified by the Trellix Advanced Research Center in their investigation of a GitHub C2 espionage campaign.
The SpiderLabs team's investigation demonstrated that only through meticulous manual timeline analysis and behavioral hunting can these stealthy attacks be revealed. As such, organizations must invest in skilled threat hunters who can think like attackers. The incident underscores the struggle of modern Endpoint Detection and Response (EDR) and signature-based solutions to detect such threats, with human-led threat hunting proving essential in bypassing these defenses.
The campaign also involved attempts to harvest browser-stored login data from Firefox profiles, reinforcing the strategic advantage of combining automated detection with expert analysis to uncover hidden threats before they can inflict damage. The findings of the SpiderLabs team underscore the need for vigilance and adaptive cybersecurity strategies in the face of increasingly sophisticated adversaries.
%20via%20weaponized%20ScreenConnect%20Remote%20Management%20(RMM)%20tool.){kind=link}