Full Report
FortiGuard Labs details a new XWorm RAT campaign using multi-language phishing emails, Excel exploits (CVE-2018-0802), HTA execution, and fileless .NET techniques to gain full remote control of Windows systems
Analysis Summary
# Tool/Technique: XWorm RAT Campaign (February 2026)
## Overview
This summary details a multi-stage phishing campaign observed by FortiGuard Labs that deploys the XWorm Remote Access Trojan (RAT) onto Windows systems. The infection leveraged social engineering via multi-language phishing emails, exploited an Office vulnerability to download an HTA file, which subsequently executed a fileless .NET loader in memory to inject and execute the final XWorm payload via process hollowing.
## Technical Details
- Type: Malware Family (XWorm RAT) & Exploitation Campaign
- Platform: Microsoft Windows
- Capabilities: Full remote control of compromised systems, fileless execution, encrypted C2 communication, plugin architecture.
- First Seen: Analysis date February 10, 2026 (based on article publication).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- TA0002 - Execution
- T1204 - User Execution
- T1127 - Web Session Cookie (Implicit via initial download/execution)
- TA0003 - Persistence (Implied by RAT functionality)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Shellcode decryption, Fileless .NET execution)
- T1055 - Process Injection (Process Hollowing)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (Encrypted C2 traffic)
## Functionality
### Core Capabilities
- **Malware Delivery:** Utilized malicious Excel add-in files (.XLAM) embedded with an OLE object exploiting CVE-2018-0802.
- **Staging:** Exploitation leads to the download and execution of an HTA file.
- **Fileless Execution:** HTA execution triggers PowerShell, which downloads and loads a fileless .NET module directly into memory, avoiding writing the secondary stage to disk initially.
- **Payload Injection:** The .NET module performs process hollowing to inject the final XWorm payload into a legitimate `Msbuild.exe` process.
### Advanced Features
- **XWorm RAT Functionality:** Provides attackers with full remote control over the victim's Windows system.
- **Encryption:** XWorm uses encrypted network traffic for command-and-control communication.
- **Extensibility:** Features a plugin architecture, suggesting modular and extendable capabilities post-compromise.
- **Social Engineering:** Employed multi-language, business-themed lures (payment requests, purchase orders, bank documents) to maximize initial compliance.
## Indicators of Compromise
- File Hashes:
- Relevant Sample SHA-256:
- `EE663D016894D44C69B1FDC9D2A5BE02F028A56FC22B694FF7C1DACB2BBBCC6D` (SNEV_VEND_026011406440.xlam)
- `3F4C3C16F63FB90D1FD64B031D8A9803035F3CB18332E198850896881FB42FE5` (optimized_MSI_lpsd9p.jpg)
- `FD9BA9E6BD4886EDC1123D4074D0EAC363DF61162364530B1303390AA621140B` (HGG.hta / VA5.hta)
- `EACD8E95EAD3FFE2C225768EF6F85672C4BFDF61655ED697B97F598203EF2CF6` (XWorm RAT payload)
- File Names:
- `.XLAM` attachments (Excel add-in file)
- Shellcode identifier: `WEakS.Jh` (Relative path in OLE object)
- Registry Keys: Not explicitly mentioned.
- Network Indicators:
- C2 Server: `berlin101[.]com:6000`
- Download URL 1: `hxxps://retrodayaengineering[.]icu/HGG.hta`
- Download URL 2: `hxxps://res[.]cloudinary[.]com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg`
- Download URL 3: `hxxp://pub-3bc1de741f8149f49bdbafa703067f24[.]r2[.]dev/wwa.txt`
- Behavioral Indicators:
- Execution of shellcode via Microsoft Equation Editor (EQNEDT32.EXE).
- PowerShell execution initiating network connections.
- Process hollowing into `Msbuild.exe`.
## Associated Threat Actors
- XWorm is a multi-functional RAT known to be distributed through various channels, including Telegram-based marketplaces, indicating use by various threat groups or cybercriminal operations. Specific group attribution for this *exact* campaign is not provided, but it leverages known financially motivated techniques.
## Detection Methods
- Signature-based detection: FortiGuard recognized variants such as `JS/XWorm.140B!tr.dldr`, `MSIL/XWorm.2CF6!tr`, and `Data/JpgMalware.B!tr`.
- Behavioral detection: Monitoring for OLE object execution triggering shellcode, PowerShell downloading HTA files, and subsequent process hollowing into legitimate binaries like `Msbuild.exe`.
- YARA rules: Not explicitly provided, but signatures targeting the embedded OLE object structure or runtime characteristics of the fileless .NET module would be effective.
## Mitigation Strategies
- Prevention measures: Update all Microsoft Office/Windows components to patch **CVE-2018-0802** (Microsoft Equation Editor RCE).
- Hardening recommendations:
- Employ email gateway solutions (FortiMail) capable of Content Disarm and Reconstruction (CDR) to strip potentially malicious embedded objects like the OLE structure in Excel files.
- Implement endpoint protection (FortiEDR, FortiClient) capable of blocking fileless activity and process injection techniques.
- User training (NSE 1 awareness training) to recognize urgency and social engineering tactics in business-themed phishing.
## Related Tools/Techniques
- **CVE-2018-0802:** Microsoft Equation Editor Remote Code Execution vulnerability, used here to kickstart the execution chain.
- **HTA Execution:** Used as a common mechanism to bypass initial file-type restrictions and leverage scripting engines.
- **Fileless .NET Loader:** A common technique to execute payloads entirely in memory.
- **Process Hollowing:** Used to inject the malicious XWorm payload into a trusted process (`Msbuild.exe`) for execution, enhancing evasion.