Unveiling VOID#GEIST: The Multi-Stage Malware Campaign Delivering XWorm, AsyncRAT, and Xeno

In the constantly shifting landscape of cyber threats, Remote Access Trojans (RATs) remain a favorite tool for adversaries due to their versatility and stealth. Recently, Securonix Threat Research unveiled a new, highly elusive operation codenamed VOID#GEIST. This campaign distinguishes itself not just through the malware it delivers—namely XWorm, AsyncRAT, and Xeno RAT—but through its intricate, multi-stage execution chain that relies heavily on obfuscated batch scripts.

For organizations in Dallas and beyond, understanding the nuances of this attack vector is critical. VOID#GEIST represents a shift towards "living-off-the-land" binaries (LOLBins) and script-based loaders that are notoriously difficult to detect using traditional antivirus signatures alone.

The Mechanics of VOID#GEIST

The VOID#GEIST attack chain begins with a deceptive entry point, often a phishing email or a malicious download masquerading as a legitimate utility. Once the initial lure is executed, it triggers an obfuscated batch script (.bat or .cmd).

Unlike straightforward executables, these batch scripts act as a sophisticated loader, designed to fly under the radar of standard security controls. The script's primary goal is to deploy a second-stage payload. This second stage often involves further obfuscation or the use of legitimate system utilities to decrypt and load the final malware payloads in memory. This "fileless" or "low-footprint" approach complicates forensics, as the malicious payload may never touch the disk in its unencrypted form.

The Payload Trio

The campaign is a delivery mechanism for a dangerous trio of RATs:

• XWorm: A versatile RAT known for its DDoS capabilities, clipboard manipulation, and ransomware deployment features.
• AsyncRAT: A popular open-source RAT that allows attackers to remotely monitor and control infected systems, often used to steal sensitive data and credentials.
• Xeno RAT: A newer, more advanced RAT written in .NET, offering high-performance screen capturing, keylogging, and bypassing UAC (User Account Control).

The use of multiple payloads suggests a "fail-safe" strategy; if one malware is detected and neutralized, the others may still succeed, or the attackers may simply be testing which RAT yields the best results in a specific environment.

Detection and Threat Hunting

Defending against VOID#GEIST requires a shift from reactive signature matching to proactive behavioral analysis. Security teams should monitor for suspicious child process spawning patterns, particularly where cmd.exe or powershell.exe is launched by unusual parent processes.

KQL Queries (Microsoft Sentinel / Defender)

Use the following KQL query to hunt for suspicious batch script activity that may indicate an obfuscated loader:

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("cmd.exe", "powershell.exe")
| where ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd"
| where ProcessCommandLine matches regex @"\s+/c\s+" 
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc


To hunt for the specific payload behaviors often associated with XWorm or AsyncRAT (such as heavy PowerShell usage or network connections to C2 infrastructure), you can use:

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (443, 80, 8080) 
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "mshta.exe", "wscript.exe")
| summarize count() by DeviceName, RemoteUrl, InitiatingProcessFileName
| where count_ < 5 // Focusing on beacons rather than high-volume traffic

PowerShell Script for Local Hunting

You can deploy this PowerShell script on critical endpoints to scan for recently modified batch files in common user directories, which may indicate a dropper:

$Path = "C:\Users\"
$Days = 7
$Date = (Get-Date).AddDays(-$Days)

Get-ChildItem -Path $Path -Filter *.bat -Recurse -ErrorAction SilentlyContinue | 
Where-Object { $_.LastWriteTime -gt $Date -and $_.Length -gt 0 } | 
Select-Object FullName, LastWriteTime, Length | 
Format-Table -AutoSize

Mitigation Strategies

Protecting your organization from multi-stage malware like VOID#GEIST requires a defense-in-depth approach:

1. Strict Script Execution Policies: Enforce PowerShell execution policies (e.g., Restricted or AllSigned) and consider disabling cmd.exe for standard users via AppLocker or Software Restriction Policies where business logic permits.

2. Application Whitelisting: Implement application controls (such as Windows Defender Application Control) to prevent unverified batch scripts and executables from running in user directories.

3. Macro and Attachment Filtering: Ensure email security solutions are aggressively filtering .bat, .cmd, and .zip files containing scripts.

4. User Awareness: Train employees to recognize social engineering attempts. VOID#GEIST relies on a user initiating the initial script.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub