{ "id": "dd385c33-a4f5-4c99-9a2d-de195d3baffc", "created_at": "2026-04-06T00:08:27.607503Z", "updated_at": "2026-04-10T03:37:41.010856Z", "deleted_at": null, "sha1_hash": "a6c5cb93f465bdd075c0f7323965a79b96d5122a", "title": "XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3890285, "plain_text": "XenoRAT Adopts Excel XLL Files and ConfuserEx as Access\r\nMethod\r\nPublished: 2024-11-19 ยท Archived: 2026-04-05 19:50:49 UTC\r\nTABLE OF CONTENTS\r\nXenoRAT OverviewSpecial Delivery: Excel XLL and ConfuserExNetwork InfrastructureConclusionNetwork\r\nObservablesHost Observables\r\nWhile combing through malware repositories for interesting files to analyze, Hunt researchers encountered a\r\nXenoRAT sample that stood out-not for its core functionality, but for the tools used to deliver it. Known for\r\ntypically targeting gamers and posing as legitimate software, this open-source remote access tool was, in this case,\r\ndelivered as an XLL file generated with the open-source Excel-DNA framework, protected by ConfuserEx, and\r\ntitled \"Payment Details.\"\r\nThis post will explore the tactical shifts observed in this version of XenoRAT's deployment, focusing on the\r\ninfrastructure, protective layers, and key changes defenders should watch closely.\r\nKey Points:\r\nUnusual Delivery Tactic: XenoRAT was deployed through Excel XLL files, marking a departure from\r\npreviously seen delivery vectors.\r\nEnhanced Protection: ConfuserEx adds a layer of protection, making the malware more challenging to\r\ndetect and analyze.\r\nExpanded Target Potential: This method suggests an increased focus on gaining access to enterprise\r\nnetworks, moving beyond XenoRAT's typical focus on individual users.\r\nXenoRAT Overview\r\nXenoRAT is an open-source remote access tool (RAT) coded in C# and hosted on GitHub, where its accessibility\r\nhas enabled widespread use in various campaigns. Known primarily for targeting individual users, especially\r\ngamers, through spearphishing and software masquerading as legitimate downloads, XenoRAT has also been\r\ndelivered through GitHub repositories and communicating with .gg top level domains, as observed in one of our\r\nprevious blog posts about XenoRAT.\r\nMore recently, Cisco Talos highlighted a shift in XenoRAT's usage, with a North Korean-linked actor, tracked as\r\nUAT-5394, deploying a customized variant.\r\nWe'll now shift our focus to the sample that caught our attention, Payment_Details.xll.\r\nSpecial Delivery: Excel XLL and ConfuserEx\r\nhttps://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method\r\nPage 1 of 6\n\nFound on Any Run, \"21102024_0022_18102024_Payment_Details.gz.zip\" (SHA-256:\r\n7fddca3e05425b8ec73f701334a57532f9b6bc626f8402de5135de91b8a0b59e) was downloaded to an analysis\r\nenvironment, and uncovered two files: \"Payment_Details.xll\" and \"PlainText.txt.\" The latter contains a brief,\r\ngeneric message accompanied by a disclaimer often seen in business email communications, likely crafted to gain\r\nthe targets trust as part of a financial transaction.\r\nFigure 1: Contents of PlainText.txt.\r\nPayment_Details.xll\r\nSHA-256: 48a60db5241e6ecadbb9705ed014ba58ea9608d5ae0264db04fe70201fd1b152\r\nThis file's main purpose is as a dropper, deploying XenoRAT along with an additional remote access tool, which\r\nwe will cover below. The sample abuses the Excel-DNA framework-a legitimate tool for Excel development.\r\nExcel-DNA's ability to load compressed .NET assemblies directly into memory makes it attractive to malware\r\nauthors seeking to deliver malicious payloads.\r\nExamining the file's embedded resources reveals a heavily obfuscated \"MAIN\" module. Under typical\r\ncircumstances, this module would specify the exact .NET component loaded by Excel-DNA; however, in this\r\ninstance, the obfuscation conceals its true functionality, likely to evade security detections.\r\nFigure 2: Resources of the malicious XLL file.\r\nExecuting the XLL file initiates a complex process chain, with several key events occurring in rapid succession.\r\nShortly after launch, an obfuscated batch file, \" cfgdf.bat ,\" is triggered. Though heavily obfuscated, it\r\nhttps://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method\r\nPage 2 of 6\n\nultimately initiates the executable \" zgouble.sfx.exe ,\" an SFX RAR archive, which likely extracts its contents\r\ninto the Temp directory.\r\nFigure 3: A heavily obfuscated cfgdf.bat.\r\nWhile these background processes are underway, a decoy PDF named \" Pago.pdf \" opens visibly on the user's\r\nscreen. \"Pago,\" meaning \"pay\" or \"paid\" in Spanish, aligns with the document's intent to appear as part of a\r\nlegitimate financial transaction. Although the PDF is blurry, faint column headings like 'Date' and 'Subtotal' are\r\nbarely visible, likely another attempt to add to the authenticity of the communications between the user and the\r\nthreat actor.\r\nFigure 4: \"Pago.pdf\" contents used as a decoy to the victim.\r\nThe SFX archive is password-protected, limiting direct interaction with its contents. However, as the process\r\nchain progresses, another executable, \" cvghfy.exe ,\" runs, likely extracted from within the archive. Using tools\r\nlike Detect It Easy reveals signs of obfuscation, packing, and the use of ConfuserEx-indicating the threat actor(s)\r\nwent to a great deal of trouble to hinder analysis.\r\nhttps://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method\r\nPage 3 of 6\n\nFigure 5: Analysis results of cvghfy.exe\r\nUsing an awesome tool like Unpac.me, we were able to uncover an additional executable, \" Original.exe ,\"\r\n(SHA-256: 18aa15aaf6886e277aea1333b546be83a56bccdfa7a64ce5243ebed2dd2541fb) the latter identified as the\r\nXenoRAT payload. Opening Original.exe in dnSpy exposes XenoRAT's configuration, including the hardcoded\r\ncommand-and-control (C2) server address.\r\nFigure 6: XenoRAT hardcoded IP address and configuration data.\r\nFurther analysis of the file's metadata shows an anomalous compilation timestamp of 10/22/2052, a manipulation\r\ntactic likely employed to evade detection based on standard file timestamp heuristics. This alteration obscures the\r\nfile's actual age, allowing it to bypass security filters that often rely on creation dates for detection.\r\nhttps://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method\r\nPage 4 of 6\n\nFigure 7: Compilation timestamp for the XenoRAT file.\r\nNetwork Infrastructure\r\nThe identified C2 IP address, 87.120.116[.]115 , communicates over TCP port 1391 and is hosted within ASN\r\n401115 (EKABI) in Bulgaria, providing few opportunities to pivot toward additional infrastructure linked to this\r\nactivity.\r\nA self-signed certificate with the common name WIN-HM6FI4VOIEP was detected on RDP port 3389 around the\r\nsame time this file surfaced. Although we could not uncover additional servers linked to this campaign, the IP\r\naddress and indicators provided here offer a useful foundation for monitoring in case these tactics reemerge in\r\nfuture activity.\r\nConclusion\r\nThis analysis shed light on a unique deployment of XenoRAT, where traditional tactics gave way to an Excel XLL\r\ndelivery and layered obfuscation. By leveraging legitimate tools like Excel-DNA and ConfuserEx, the attackers\r\ndemonstrated how adaptable open-source malware can be, embedding malicious activity within familiar file types\r\nand tools.\r\nThis shift in tactics reinforces the need for vigilance, including monitoring or blocking less commonly used file\r\nextensions, as threat actors continue finding ways to exploit trusted software.\r\nNetwork Observables\r\nIP Address Hosting Country ASN Notes\r\n87.120.116[.]115:1391 NL EKABI XenoRAT C2 Server\r\nHost Observables\r\nFile Name\r\nFile\r\nType\r\nSHA-256\r\nPayment_Details.gz.zip Zip 7fddca3e05425b8ec73f701334a57532f9b6bc626f8402de5135de91b8a0b59e\r\nPayment_Details.xll XLL 48a60db5241e6ecadbb9705ed014ba58ea9608d5ae0264db04fe70201fd1b152\r\nPago.pdf PDF 7a0e40d4c39eae8f7415cb44504e04c1baf41f57e797308f026409c7353ed03d\r\nhttps://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method\r\nPage 5 of 6\n\nFile Name\r\nFile\r\nType\r\nSHA-256\r\ncfgdf.bat Bat 18abc987c2a04a7c576d7a5c86588467cbf6cc2bb15eadbc60c0336e2fff11d8\r\ncvghfy.sfx.exe\r\nSFX\r\nRAR\r\n72722737a28ed8371130b181f99a12bd7f43b9cb9043e7a1257c08394e57e17b\r\ncvghfy.exe EXE 46affe6213f26e1a5446134c994e14d3f3f500e3c88f7867e3102c4b171cead1\r\nOriginal.exe EXE 18aa15aaf6886e277aea1333b546be83a56bccdfa7a64ce5243ebed2dd2541fb\r\nSource: https://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method\r\nhttps://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method" ], "report_names": [ "xenorat-excel-xll-confuserex-as-access-method" ], "threat_actors": [ { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "0e9d99dc-01ad-49a5-8357-5f147d38559b", "created_at": "2024-09-20T02:00:04.587227Z", "updated_at": "2026-04-10T02:00:03.701875Z", "deleted_at": null, "main_name": "UAT-5394", "aliases": [], "source_name": "MISPGALAXY:UAT-5394", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434107, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a6c5cb93f465bdd075c0f7323965a79b96d5122a.pdf", "text": "https://archive.orkl.eu/a6c5cb93f465bdd075c0f7323965a79b96d5122a.txt", "img": "https://archive.orkl.eu/a6c5cb93f465bdd075c0f7323965a79b96d5122a.jpg" } }