{
	"id": "4f933702-1791-4814-a77c-df12ab52373f",
	"created_at": "2026-04-06T00:17:54.62803Z",
	"updated_at": "2026-04-10T03:21:17.718111Z",
	"deleted_at": null,
	"sha1_hash": "048546fa0749d902c12026aeb931b4c383a07880",
	"title": "XWorm Attack Chain: Leveraging Steganography from Phishing Email to Keylogging via C2 Communication",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2638476,
	"plain_text": "XWorm Attack Chain: Leveraging Steganography from Phishing\r\nEmail to Keylogging via C2 Communication\r\nBy Sarviya\r\nPublished: 2025-09-12 · Archived: 2026-04-05 17:44:22 UTC\r\nstegocampaign is a cyberattack using steganography to hide malware in images, making detection difficult. It\r\ndelivers malware like AgentTesla, FormBook, Remcos, and LokiBot, using hidden payloads in images. Victims\r\nface data theft, remote control attacks, and credential harvesting.\r\nSteganography is the practice of concealing information within other media, such as images, audio files, and GIFs.\r\nRecently, we identified an active StegoCampaign and decided to investigate it further. In this blog, we will dive\r\ndeep into the detailed kill chain of this campaign. Let’s get started!\r\nPress enter or click to view image in full size\r\nstegocampaign- XWorm Attack Chain\r\nPress enter or click to view image in full size\r\nhttps://sarviyamalwareanalyst.medium.com/xworm-attack-chain-leveraging-steganography-from-phishing-email-to-keylogging-via-c2-communication-f3a4c91dfd06\r\nPage 1 of 9\n\nAttached PDF from the phishing mail\r\nSo the initial vector of this campaign is a phishing mail that comes with a attached Pdf and on viewing that it\r\nshows “Download Graphics extension” to view the PDF.\r\nPress enter or click to view image in full size\r\nURL redirected from the PDF\r\nThe above URL is the one that the PDF file redirected to download the graphics extension but instead it\r\ndownloads a registry entry.\r\nRegistry File getting downloaded\r\nAnalysis Reg File\r\nOn examining the Reg file, we can see that ‘Run’ entry being added to the Values. The value corresponds to\r\ncalling powershell via Cmd with window hidden and execution policy bypassed to download a vbs file from the\r\nhttps://sarviyamalwareanalyst.medium.com/xworm-attack-chain-leveraging-steganography-from-phishing-email-to-keylogging-via-c2-communication-f3a4c91dfd06\r\nPage 2 of 9\n\nURL and saving that as “maze.vbs” in Temp location and it got executed right away(As per the script). since it’s a\r\nrun entry, only when the system reboots it runs, in the mean time it stays till the user reboots.\r\nPress enter or click to view image in full size\r\nPersistence presented in reg file\r\nBelow image is the vbs script obtained from the mentioned URL.\r\nPress enter or click to view image in full size\r\nmaze.vbs\r\nOpen Visual studio code\r\nIn the script we can see that there’s some obfuscated content and also found a replace\r\nPress enter or click to view image in full size\r\nObfuscated String\r\nhttps://sarviyamalwareanalyst.medium.com/xworm-attack-chain-leveraging-steganography-from-phishing-email-to-keylogging-via-c2-communication-f3a4c91dfd06\r\nPage 3 of 9\n\nOpen CyberChef and paste the obfuscated “bradykinin” data into the Input field. In the Recipe section, add the\r\nFind/Replace operation, set the second parameter as Find, and the third parameter as Null in Replace. This will\r\ngenerate a Base64-encoded string.\r\nPress enter or click to view image in full size\r\nDecode Obfuscated String\r\nTake the Base64-encoded output from the previous step and enter it into the Input field. Then, apply the following\r\nrecipe: From Base64 and Remove null bytes. This will decrypt the string, revealing a Reverse URL\r\nConstruction, which points to the URL: “https[.]//support.zyfex[.]free[.]hr/down/ConvertedFile[.]txt”.\r\nPress enter or click to view image in full size\r\nReverse Loader\r\nThe downloaded payload is stored in gameshow, while AddInProcess32 runs the add-in in an isolated 32-bit\r\nprocess, separate from the main application. The payload is saved in C:\\ProgramData\\acrohilus, with vbs\r\nindicating a VBScript execution. The values ‘1’, ‘1’ are unclear but may serve as execution flags or commands.\r\nGet Sarviya’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nhttps://sarviyamalwareanalyst.medium.com/xworm-attack-chain-leveraging-steganography-from-phishing-email-to-keylogging-via-c2-communication-f3a4c91dfd06\r\nPage 4 of 9\n\nRemember me for faster sign in\r\nThe website mentioned in the Ps script redirects to the below page where the ConvertedFile.Txt is present.\r\nPress enter or click to view image in full size\r\nPayload from Reverse Link\r\nOn looking at it , we can see that it’s obfuscated. So we gonna try several options in Cyberchef. Since the URL is\r\nin reverse, this probably in reverse (Strikes in my mind) and I tried FromBase64 too. AND BANG!\r\nPress enter or click to view image in full size\r\nDecrypted MZ File\r\nWe got MZ header. So now its some executable. I’m gonna dump it and save it for further.\r\nXworm Execution:\r\nOpen the extracted PE file in dnSpy, then right-click and select Go to Entry Point. Initially, the Main function\r\nreveals an AES decryption method, suggesting the presence of a hardcoded obfuscated string. Set a\r\nbreakpoint at pasteurl, then execute step by step. As you progress, the decrypted string will become visible in\r\nthe value section of dnSpy.\r\nInside the key, an encrypted string is visible, along with two strings: Host and Port. These may indicate a C2\r\n(Command and Control) server, which will be decrypted from the encoded string.\r\nhttps://sarviyamalwareanalyst.medium.com/xworm-attack-chain-leveraging-steganography-from-phishing-email-to-keylogging-via-c2-communication-f3a4c91dfd06\r\nPage 5 of 9\n\nPress enter or click to view image in full size\r\nBefore decrypted String\r\nAfter execution of download string, we got the c2 Host and Port address.\r\nPress enter or click to view image in full size\r\nC2 Host and port\r\nEnter the decoded URL into a browser, which will reveal the IP address and port of the C2 (Command and\r\nControl) server.\r\nhttps://sarviyamalwareanalyst.medium.com/xworm-attack-chain-leveraging-steganography-from-phishing-email-to-keylogging-via-c2-communication-f3a4c91dfd06\r\nPage 6 of 9\n\nC2 Response\r\nNow, execute the extracted PE file. In ProcMon, you can observe that it writes data to the Temp folder under\r\nthe name log.temp. Additionally, network activity reveals that the file is connecting to the C2 server,\r\nestablishing a send and receive communication channel.\r\nPress enter or click to view image in full size\r\nProcMon- Xworm connecting to c2\r\nIn the Temp folder, the file log.tmp stores recorded data, revealing that it is capturing keystrokes. This confirms\r\nthat the malware functions as a keylogger, recording user input and potentially exfiltrating sensitive information.\r\nPress enter or click to view image in full size\r\nhttps://sarviyamalwareanalyst.medium.com/xworm-attack-chain-leveraging-steganography-from-phishing-email-to-keylogging-via-c2-communication-f3a4c91dfd06\r\nPage 7 of 9\n\nKeystrokes Stored in Temp Folder\r\nIn Wireshark, the captured network traffic shows data being transferred to the C2 server, with corresponding\r\nACK (Acknowledgment) packets, confirming successful communication between the infected system and the\r\nattacker’s server.\r\nPress enter or click to view image in full size\r\nWireshark — C2\r\nIoC: sha1\r\nMaze.vbs :64F19C6E30548BC3880DD6B1B4D21D174D5C8EFF\r\nhttps://sarviyamalwareanalyst.medium.com/xworm-attack-chain-leveraging-steganography-from-phishing-email-to-keylogging-via-c2-communication-f3a4c91dfd06\r\nPage 8 of 9\n\nXworm:99C5F8B888CD29574173AE0F03F6AEEBAC3AB2E1\r\nAnyRun:Analysis xworm (MD5: B3A89B0BF85BDA317F428C807637F9D5) Malicious activity — Interactive\r\nanalysis ANY.RUN\r\nSource: https://sarviyamalwareanalyst.medium.com/xworm-attack-chain-leveraging-steganography-from-phishing-email-to-keylogging-via-c2\r\n-communication-f3a4c91dfd06\r\nhttps://sarviyamalwareanalyst.medium.com/xworm-attack-chain-leveraging-steganography-from-phishing-email-to-keylogging-via-c2-communication-f3a4c91dfd06\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://sarviyamalwareanalyst.medium.com/xworm-attack-chain-leveraging-steganography-from-phishing-email-to-keylogging-via-c2-communication-f3a4c91dfd06"
	],
	"report_names": [
		"xworm-attack-chain-leveraging-steganography-from-phishing-email-to-keylogging-via-c2-communication-f3a4c91dfd06"
	],
	"threat_actors": [],
	"ts_created_at": 1775434674,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/048546fa0749d902c12026aeb931b4c383a07880.pdf",
		"text": "https://archive.orkl.eu/048546fa0749d902c12026aeb931b4c383a07880.txt",
		"img": "https://archive.orkl.eu/048546fa0749d902c12026aeb931b4c383a07880.jpg"
	}
}