{
	"id": "2bf687a1-b9e1-4823-af1a-c1fa5b1aa00c",
	"created_at": "2026-04-06T00:12:18.765065Z",
	"updated_at": "2026-04-10T13:13:00.835669Z",
	"deleted_at": null,
	"sha1_hash": "70eabcb60b9b56e65b3c4931044806b378b13bca",
	"title": "Attack chain leads to XWORM and AGENTTESLA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2367833,
	"plain_text": "Attack chain leads to XWORM and AGENTTESLA\r\nBy Salim Bitam\r\nPublished: 2023-04-10 · Archived: 2026-04-05 23:00:16 UTC\r\nKey Takeaways\r\nThreat actors are deploying known malware using their own custom .NET loaders\r\nThe threat actors employ simple and well-known tactics such as bypassing AMSI through patching and a\r\nbasic custom .NET loader\r\nThe threat actors are abusing legitimate free file hosting services\r\nPreamble\r\nOur team has recently observed a new malware campaign that employs a well-developed process with multiple\r\nstages. The campaign is designed to trick unsuspecting users into clicking on the documents, which appear to be\r\nlegitimate, but are in fact fake, the adversary leverages weaponized word documents to execute malicious\r\nPowerShell scripts, and also utilizes a custom obfuscated .NET loader to load various malware strains, including\r\nXWORM and AGENTTESLA.\r\nRTF loader code analysis\r\nOverview\r\nDuring a recent investigation, we discovered a malicious word document named Card \u0026 Booking Details.docx .\r\nThis document has been designed with the intent to deceive the victim and includes two falsified scanned\r\ndocuments, namely a credit card and a passport.\r\nUpon opening the document, an RTF object hosted at www.mediafire[.]com/file/79jzbqigitjp2v2/p2.rtf is\r\nfetched.\r\nThis RTF object contains a macro-enabled Excel object. When opened, this macro downloads an obfuscated\r\npowerShell script which in turn deploys different malware families.\r\nAt the time of this writing, we have observed two distinct malware families, namely XWORM and\r\nAGENTTESLA, have been deployed through this execution chain. Both malware families mentioned above are\r\nloaded into the compromised system's memory by the same custom .NET loader. Once loaded, the malicious\r\npayload can carry out a range of functions, such as stealing sensitive data and executing commands on the\r\ncompromised system.\r\nhttps://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla\r\nPage 1 of 10\n\nExecution flow diagram\r\nIn this research post, we will walk through the initial execution of the malware and detail the capabilities we\r\ndiscovered.\r\nExtracting the malicious VBA\r\nThe RTF document contains multiple embedded objects, including an interesting one that caught our attention:\r\nExcel.SheetMacroEnabled .\r\nListing objects embedded in the RTF document\r\nWe can use rtfdumpy.py , a script developed by Didier Stevens to analyze RTF files, to dump the object and\r\nolevba.py , a script developed by Philippe Lagadec, to extract any embedded VBA scripts from an OLE object.\r\nThe extracted VBA script shown below downloads and executes a malicious powershell script from\r\nhttps://www.mediafire[.]com/file/xnqxmqlcj51501d/7000m.txt/file .\r\nhttps://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla\r\nPage 2 of 10\n\nExtracting the VBA script from the Excel sheet object\r\nPowershell script analysis\r\nThe malicious PowerShell script is obfuscated using string substitution to evade detection and make analysis more\r\ndifficult.\r\nPowershell script obfuscated using string substitution\r\nIt contains additional powershell script blocks in hex format that will be deployed in the infected machine\r\ndesigned to prepare the environment by setting up persistence, bypassing AMSI, disabling Windows defender and\r\ncreating a mechanism to update the malware. The ultimate objective is to install two .NET binaries, namely a\r\nloader and a payload (XWORM / AGENTTESLA).\r\nDeleting the malicious document\r\nThe malware starts by deleting the original Word document, first killing the process Winword.exe and then\r\ndeleting all .DOCX files located in the default Downloads and Desktop folders of every user. This initial step\r\nshows the malware's destructive nature and how it can potentially harm the user's data.\r\nhttps://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla\r\nPage 3 of 10\n\nPowershell command to delete the malicious word document\r\nPersistence\r\nThe malware creates a directory in the path C:\\ProgramData\\MinMinons , which is used to store other Powershell\r\nscripts and binaries. The currently running Powershell script is then copied to\r\nC:\\ProgramData\\MinMinons\\Candlegraphy.\\_\\_\\_ .\r\nNext, the malware deobfuscates the first embedded Powershell script which is used to create persistence. It first\r\nwrites a JScript file that invokes the original Powershell script saved in\r\nC:\\ProgramData\\MinMinons\\Candlegraphy.\\_\\_\\_ through the activeXObject shell, then a scheduled task named\r\n“MOperaChrome” is created to run the JScript file using the Microsoft signed Windows Script Host (WSH) utility,\r\nwscript.exe .\r\nPersistence through task scheduling\r\nAMSI bypass\r\nThe second embedded powershell script is responsible for bypassing AMSI by patching the amsiInitFailed\r\nflag. In doing so, the initialization of AMSI fails, leading to the prevention of any scan being initiated for the\r\nongoing process. Furthermore, the PowerShell script proceeds to disable the Microsoft Windows Defender\r\nservice.\r\nDisabling WinDefend service\r\nUser creation\r\nThe script creates a local administrator account named “System32” and adds it to the Remote Desktop Users\r\ngroup. This enables the attacker to log in via Remote Desktop Protocol (RDP). Next, the script disables the\r\nmachine's firewall to allow inbound RDP connection attempts which aren’t filtered by edge controls.\r\nhttps://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla\r\nPage 4 of 10\n\nCreating a backdoor user\r\nMalware update persistence\r\nThe third embedded script stores a secondary JScript file, whose purpose is downloading a revised or updated\r\nversion of the malware. This file is saved to a predetermined location at C:\\ProgramData\\MinMinons\\miguan.js .\r\nFurthermore, a scheduled task with the name (“miguaned”) is created to execute the JScript file through\r\nwscript.exe , similar to the previously described task.\r\nThe JScript creates an instance of WScript.Shell object by calling ActiveXObject with the following CLSID\r\n{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B} which corresponds to Shell Object, then downloads from the URL\r\nhttps://billielishhui.blogspot[.]com/atom.xml the update powershell malware.\r\nJScript script used for updating the malware\r\n.NET loader\r\nThe custom DOTNET loader employs the P/INVOKE technique to call the native Windows API and inject a\r\npayload into a signed microsoft binary via process hollowing.\r\nThe loader’s code employs various obfuscation techniques to hinder analysis, including the use of dead\r\ninstruction, renamed symbols to make the code less readable and more confusion and encoded strings. Fortunately\r\na tool like de4dot can be used to output a human-readable version of it.\r\nhttps://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla\r\nPage 5 of 10\n\n.NET loader code obfuscation\r\nThe malware leverages the LoadLibrary and GetProcAddress APIs to access the required Windows APIs. To\r\nobscure the names of these APIs, the loader stores them in an encoded format within the binary file, utilizing a\r\nsequence of substitution and string reversal methods.\r\n.NET loader string obfuscation\r\nThe loader then starts a process in a suspended state using CreateProcessA API. The following is the list of\r\nexecutables it uses as a host for it’s malicious code:\r\nhttps://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla\r\nPage 6 of 10\n\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\r\nC:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe\r\nC:\\Windows\\Microsoft.NET\\Framework\\v3.5\\Msbuild.exe\r\nThese binaries are signed and trusted by the system and can evade detection by security software that relies on\r\nwhitelisting system processes. It then uses Zwunmapviewofsection to unmap the memory of the target process,\r\nwrites the payload to the suspended process and then resume the thread using ResumeThread API.\r\nFinal payload\r\nDuring our research we discovered that the threat actor has been deploying different payloads. Namely, we\r\nobserved 2 families: XWORM and AGENTTESLA.\r\nXWORM has gained notoriety in the underground criminal marketplace due to its ability to employ sophisticated\r\ncapabilities like virtualization and sandbox detection, used to avoid detection and support persistence within an\r\ninfected system.\r\nOf particular concern is the fact that XWORM is readily available on the internet as a cracked version, with\r\nversion 2.1 being especially prevalent. This highlights the dangers of underground cybercrime markets and the\r\nease with which malicious actors can access and utilize powerful tools.\r\nTwo different versions of the XWORM family were observed versions 2.2 and 3.1. The following is the\r\nconfiguration of a XWORM sample in plain text.\r\nXWorm configuration\r\nhttps://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla\r\nPage 7 of 10\n\nAGENTTESLA is a trojan and credential stealer written in .NET. While it first emerged in 2014, it is now among\r\nthe most active and malicious software. AGENTTESLA is affordably priced and includes support from the\r\ndevelopers, making it easily accessible to cybercriminals with limited technical skills.\r\nThe sample we analyzed was heavily obfuscated, masqueraded as an AVG installer,and leverages discord for C2.\r\nIt uploads stolen information to the attacker’s Discord channel via the following webhook:\r\nhttps://discord[.]com/api/webhooks/1089956337733087274/uYNA_D8Ns1z9NZ3B1mGp0XXyGq-785KLGIfEAZsrz3TJd5fvOjXA927F7bUTTzbNT6Zk .\r\nAgent Tesla masquerading as an AVG installer\r\nThe discord webhook extracted dynamically\r\nObserved adversary tactics and techniques\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that\r\nthreats use.\r\nTactics\r\nTactics represent the “why” of a technique or sub-technique. They represent the adversary’s tactical goals: the\r\nreason for performing an action.\r\nInitial access\r\nExecution\r\nPersistence\r\nCommand and control\r\nDefense evasion\r\nhttps://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla\r\nPage 8 of 10\n\nTechniques/subtechniques\r\nTechniques and Subtechniques represent how an adversary achieves a tactical goal by performing an action.\r\nProcess injection\r\nIndicator removal: File deletion\r\nScheduled task/job: Scheduled task\r\nUser Execution: Malicious File\r\nPhishing: Spearphishing Attachment\r\nCommand and Scripting Interpreter: Powershell\r\nObfuscated Files or Information\r\nImpair Defenses: Disable or Modify Tools\r\nCreate Account\r\nDetection logic\r\nYARA\r\nElastic Security has created YARA rules to identify this activity. Below are YARA rules to identify XWORM and\r\nAGENTTESLA malware families.\r\nrule Windows_Trojan_Xworm_732e6c12 {\r\nmeta:\r\n author = \"Elastic Security\"\r\n id = \"732e6c12-9ee0-4d04-a6e4-9eef874e2716\"\r\n fingerprint = \"afbef8e590105e16bbd87bd726f4a3391cd6a4489f7a4255ba78a3af761ad2f0\"\r\n creation_date = \"2023-04-03\"\r\n last_modified = \"2023-04-03\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"Xworm\"\r\n threat_name = \"Windows.Trojan.Xworm\"\r\n source = \"Manual\"\r\n maturity = \"Diagnostic\"\r\n reference_sample = \"bf5ea8d5fd573abb86de0f27e64df194e7f9efbaadd5063dee8ff9c5c3baeaa2\"\r\n scan_type = \"File, Memory\"\r\n severity = 100\r\nstrings:\r\n $str1 = \"startsp\" ascii wide fullword\r\n $str2 = \"injRun\" ascii wide fullword\r\n $str3 = \"getinfo\" ascii wide fullword\r\n $str4 = \"Xinfo\" ascii wide fullword\r\n $str5 = \"openhide\" ascii wide fullword\r\n $str6 = \"WScript.Shell\" ascii wide fullword\r\nhttps://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla\r\nPage 9 of 10\n\n$str7 = \"hidefolderfile\" ascii wide fullword\r\ncondition:\r\n all of them}\r\nrule Windows_Trojan_AgentTesla_d3ac2b2f {\r\nmeta:\r\n author = \"Elastic Security\"\r\n id = \"d3ac2b2f-14fc-4851-8a57-41032e386aeb\"\r\n fingerprint = \"cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc\"\r\n creation_date = \"2021-03-22\"\r\n last_modified = \"2022-06-20\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"AgentTesla\"\r\n threat_name = \"Windows.Trojan.AgentTesla\"\r\n source = \"Manual\"\r\n maturity = \"Diagnostic, Production\"\r\n reference_sample = \"65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4\"\r\n scan_type = \"File, Memory\"\r\n severity = 100\r\nstrings:\r\n $a1 = \"GetMozillaFromLogins\" ascii fullword\r\n $a2 = \"AccountConfiguration+username\" wide fullword\r\n $a3 = \"MailAccountConfiguration\" ascii fullword\r\n $a4 = \"KillTorProcess\" ascii fullword\r\n $a5 = \"SmtpAccountConfiguration\" ascii fullword\r\n $a6 = \"GetMozillaFromSQLite\" ascii fullword\r\nSource: https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla\r\nhttps://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla"
	],
	"report_names": [
		"attack-chain-leads-to-xworm-and-agenttesla"
	],
	"threat_actors": [],
	"ts_created_at": 1775434338,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70eabcb60b9b56e65b3c4931044806b378b13bca.pdf",
		"text": "https://archive.orkl.eu/70eabcb60b9b56e65b3c4931044806b378b13bca.txt",
		"img": "https://archive.orkl.eu/70eabcb60b9b56e65b3c4931044806b378b13bca.jpg"
	}
}