{
	"id": "d06cc7e2-dbc0-46bb-9b17-fec6facf7fe6",
	"created_at": "2026-04-06T01:30:38.569967Z",
	"updated_at": "2026-04-10T13:13:01.990015Z",
	"deleted_at": null,
	"sha1_hash": "b8988fdc5e8607850be9750b8a74e549fb3714d8",
	"title": "Paste.ee Abuse Uncovered: XWorm \u0026 AsyncRAT Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1419948,
	"plain_text": "Paste.ee Abuse Uncovered: XWorm \u0026 AsyncRAT Infrastructure\r\nPublished: 2025-06-05 · Archived: 2026-04-06 00:48:32 UTC\r\nWhile reviewing recent malware submissions from a public repository, we flagged a small JavaScript file packed\r\nwith unusual Unicode characters and broken syntax. At first glance, it looked like malformed or incomplete code,\r\nbut it was actually a disguised downloader contacting paste.ee, a legitimate service often abused to host staged\r\npayloads.\r\nWhat appeared to be a standalone script turned out to be part of a broader campaign involving obfuscation, paste\r\nsites, and globally distributed C2 infrastructure tied to known remote access tools.\r\nFurther analysis revealed links to XWorm, a stealthy RAT with capabilities like keystroke logging, data\r\nexfiltration, and persistent remote access. In this report, we detail how we traced the activity, extracted IOCs, and\r\nbuilt regex and SSL fingerprinting techniques to help defenders detect similar threats.\r\nTechnical Analysis\r\nOur research team discovered this script while monitoring newly uploaded samples to MalwareBazaar.\r\nIt was immediately flagged with the RemcosRAT signature and caught our attention due to its deceptive filename:\r\n\"DOCUMENT FOR DELIVERY INFORMATION.js\". At just under 3KB, it may look harmless, but its\r\nbehavior and indicators revealed a clear link to a known remote access trojan.\r\nThis sample became the starting point for our investigation, and what we found next shows how attackers\r\ncontinue to rely on small, weaponized scripts to deliver powerful malware.\r\nhttps://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nPage 1 of 15\n\nFig 01. Obfuscated JavaScript on MalwareBaazer\r\nThis JavaScript code is an obfuscated malicious script designed to download and execute code from a paste.ee. It\r\nhides its true functionality by inserting a long sequence of unusual Unicode characters (ᙓೇ ᰖ∛ᩕዀ╬ᤳK⨀Ḣ؅⦝〒ڑ(\r\nthroughout strings. These characters are later removed to reveal the actual commands and object names.\r\nThe script dynamically reconstructs the name of the MSXML2.XMLHTTP ActiveX object, which is used to make an\r\nHTTP request. It then builds a hidden URL by removing the same junk characters from an obfuscated string,\r\nultimately forming a complete address like http://paste.ee/d/s1uVin8i/0 .\r\nThe script sends a GET request to this URL, retrieves the response (typically malicious code), and immediately\r\nexecutes it using the Function constructor.\r\nhttps://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nPage 2 of 15\n\nFig 02: Deobfuscate JavaScript Code\r\nWe started by scanning the domain paste.ee using the Hunt.io web interface to uncover any IOCs or malicious\r\nactivity associated with it.\r\nFig 03: Resolved IP Related to paste.ee on the Hunt.io Platform\r\nAccording to the results we got, this is an apex domain with the hostname paste.ee and resolves to the IP address\r\n23.186.113.60. Hunt.io currently links the domain to 230 phishing URLs, 12 IOCs, and over 9,500 URLs in\r\ntotal .\r\nhttps://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nPage 3 of 15\n\nFig 04: Phishing URLs Related to passte.ee on the Hunt.io platform\r\nRegex Hunting Based on Phishing URL Structure\r\nAfter analyzing the phishing URLs associated with the domain paste.ee , we observed recurring patterns in their\r\nstructure. Due to these similarities, we decided to craft a regex https:\\/\\/paste\\.ee\\/[a-z]\\/[A-Za-z0-9]+\\/0$\r\nto hunt and detect related malicious URLs.\r\nhttps://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nPage 4 of 15\n\nFig 05: Phishing URLs Regex Hunting Using Hunt.io SQL\r\nWe want to analyze potentially malicious infrastructure or check out web assets found in malware data, the first\r\nstep is to pull out the relevant URLs from an NDJSON file. This NDJSON file usually contains a bunch of JSON\r\nobjects, each with URLs and some extra info. To get just the URLs, we use a handy command-line tool called jq.\r\nRunning this command:\r\n jq -r \".url\" export.ndjson \u003e urls.txt\r\n \r\nCopy\r\ntakes the NDJSON file ( export.ndjson ), grabs the URLs from each entry, and saves them into a simple text file\r\n( urls.txt ). This ensures the URLs are clean (no quotes or extra characters) so they're ready for the next steps.\r\nAfter we have this clean list, we use another tool called httpx from ProjectDiscovery to check the status of each\r\nURL. Basically, we want to see which sites are up and responding with a 200 OK status, because these could be\r\nadmin pages, command-and-control servers, or other important parts of the malware infrastructure. The command\r\nwe use is:\r\nhttps://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nPage 5 of 15\n\nhttpx -l urls.txt -mc 200 -o 200urls.txt\r\n \r\nCopy\r\nThis reads the URLs from urls.txt , filters out the ones that respond with HTTP 200, and saves those into\r\n200urls.txt . That way, we can focus on the live targets.\r\nFig 06: Malicious Responses from paste.ee URLs\r\nDuring our investigation of the provided URLs, we discovered several malicious PE files that were both encoded\r\nand reversed. After decoding a file and loading it into dnSpy for analysis. Upon decrypting the encrypted\r\nconfiguration, we identified the malware as XWorm.\r\nFig 07: XWorm Configuration\r\nXWorm captures all keyboard input across the entire system, recording keystrokes in all programs. It tracks active\r\nwindows, monitors Shift and Caps Lock states, handles special keys, and supports international keyboards.\r\nhttps://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nPage 6 of 15\n\nThe program silently saves all captured data to a file on disk, gradually building a collection of passwords, private\r\nmessages, and other sensitive information. XWorm includes a command-and-control (C2) module that keeps a\r\npersistent backdoor open on infected systems. The ClientSocket class handles connections to remote C2\r\nservers, giving attackers full remote access. It supports multiple backup servers and randomly selects one from a\r\nlist of IP addresses or domain names in its settings.\r\nOnce connected, it collects detailed system information, including a unique machine ID, username, OS version\r\nand architecture, hardware specs, installed antivirus software, and whether a webcam is present. To stay\r\nconnected, it sends regular \"PING\" messages every few seconds, each including the title of the active window, all\r\nover an AES-encrypted channel.\r\nAfter decrypting the domain abuwire123[.]ddns[.]net used by XWorm, we scanned it using VirusTotal and\r\nfound that it resolves to the IP address 45.145.43.244 .\r\nFig 08:\r\nResolved IP Related to the Domain Hosting XWorm\r\nThe IP address 45.145.43.244 , based in Frankfurt am Main, Germany, and registered to dataforest GmbH\r\n(ASN: AS58212), shows signs of being part of a malicious infrastructure.\r\nIt falls within the 45.145.43.0/24 subnet and has several open ports, including port 22 (SSH) and port 80, which\r\nis running Nginx 1.24.0. More concerning are ports 6606 and 7707, both flagged for hosting AsyncRAT, a well-known remote access trojan. These ports were first detected in February 2025.\r\nAsyncRAT is an open-source remote access trojan written in C# that has been available on GitHub since around\r\n2018. Because its source code is publicly available, many threat actors have forked, modified, and rebranded it to\r\ncreate their custom variants while retaining the core functionality.\r\nSSL Certificate Activity for 45.145.43.244\r\nhttps://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nPage 7 of 15\n\nThe IP address 45.145.43.244, operated by dataforest GmbH in Hesse, Germany (ASN: AS58212), has shown\r\nsuspicious behavior across multiple ports over the last two years.\r\nEarly 2025: SSL certificates observed on ports 6606 and 7707 were linked to AsyncRAT, a known\r\nremote access trojan. These certificates first appeared in February 2025, indicating the setup of a fresh\r\ncommand-and-control (C2) infrastructure.\r\nThroughout 2024: The same IP hosted RDP services on port 3389, using certificates with hostnames like\r\nWIN-RI8CECQIG28 and WIN-HRF8D3OM84N , suggesting that compromised Windows systems may have been\r\nused as relay nodes.\r\nMarch-May 2024: SSL certs on port 30120 were issued by do-not-trust.citizenfx.tls.invalid ,\r\ntypically associated with FiveM game servers. These are occasionally abused to host unauthorized or\r\nmalicious services.\r\nJune-August 2023: The IP was used to host multiple HTTPS websites on port 443, including suspicious\r\ndomains like carosnews.com and\r\nFurther investigation of SSL certificate patterns linked to AsyncRAT revealed a broader C2 network. Notably:\r\nU.S.-based nodes hosted by QuadraNet Enterprises LLC include:\r\n66.63.187.154 (port 6606)\r\n66.63.187.232 (ports 8808, 6606)\r\n196.251.118.41 (port 8808)\r\nEuropean infrastructure operated by SC ITNS.NET SRL includes:\r\n45.145.43.244 in Germany, with active ports:\r\n6606 (as of March 3, 2025)\r\n7707 (as of February 24, 2025)\r\nUsing SSL certificates labeled \"AsyncRAT\" can help detect various AsyncRAT variants. And we can see an\r\nexample in the next figure.\r\nhttps://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nPage 8 of 15\n\nFig 09: Open Ports Related to 66.63.187.154 on Hunt.io\r\nSo, we need to check the extracted IOCs. After scanning the IP address 45.145.43.244 on VirusTotal, we can see\r\nthat it's related to the XWorm malware.\r\nhttps://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nPage 9 of 15\n\nFig 10:\r\nVirusTotal XWorm C2 Community Comment\r\nWe will also scan 66.63.187.232 with VirusTotal. From the community, we see comments that confirm that this IP\r\naddress is related to XWorm C2.\r\nhttps://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nPage 10 of 15\n\nFig 11:\r\nVirusTotal XWorm C2 Community Comments\r\nAfter checking the community for this IP 196.251.118.41 we can see that this is related to AsyncRAT.\r\nhttps://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nPage 11 of 15\n\nFig 12: VirusTotal AsyncRAT C2 Community Information\r\nWhen checking 66.63.187.154, we couldn't find any attributed information related to it, but when we went back to\r\ncheck information from our project, we found that this is also related to the AsyncRAT variant or itself.\r\nhttps://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nPage 12 of 15\n\nFig 13: Open Ports Related to 66.63.187.154\r\nSummary\r\nThis campaign shows how attackers are evolving their methods to better hide their tracks. They’re using paste.ee,\r\na legitimate website where people share text snippets, as their starting point to spread dangerous malware.\r\nWhat caught our attention was the sneaky way they hide their code using weird Unicode characters that most\r\npeople wouldn't recognize as suspicious.\r\nRecommended Mitigation Strategies\r\nTo protect yourself from these sneaky attacks, block all identified domains and suspicious paste.ee URLs\r\nmentioned in the report. Specifically weird paste.ee links that follow a specific pattern like\r\nhttps://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nPage 13 of 15\n\nhttps://paste.ee/d/something/0\r\nKeep an eye out for weird connections to unusual ports like 6606 or 7707, which are where the attackers control\r\ntheir malware from.\r\nEnsure your security software is up to date and can detect unusual behavior, not just known viruses. Be extra\r\ncareful with emails containing links to paste services, and watch out for messy or highly obfuscated JavaScript\r\ncan indicate an attempt to hide downloader logic or embedded payloads.\r\nIf you're responsible for security at your organization, regularly check your systems for these warning signs and\r\nsuspicious activities that might indicate you've been targeted.\r\nXWorm and AsyncRat Indicators of Compromise (IOCs)\r\nIP addresses and Domain Names\r\nIP Address Domain Hosting Company Location\r\n45.145.43.244 abuwire123[.]ddns[.]net dataforest GmbH (ASN: AS58212) Frankfurt, Germany\r\n66.63.187.154 Not Available QuadraNet Enterprises LLC United States\r\n66.63.187.232\r\nabuwire123h[.]ddns[.]net\r\nabuwire123[.]duckdns[.]org\r\nQuadraNet Enterprises LLC United States\r\n196.251.118.41 Not Available Not Available Not Available\r\n23.186.113.60 paste.ee Not Available Not Available\r\nIP Addresses and C2 Ports\r\nIP Address Port Service Certificate First Observed\r\n45.145.43.244 6606 XWorm C2 AsyncRAT February 24, 2025\r\n66.63.187.154 6606 AsyncRAT C2 AsyncRAT February 2025\r\n66.63.187.232 8808 XWorm C2 AsyncRAT February 2025\r\n196.251.118.41 8808 AsyncRAT C2 AsyncRAT February 2025\r\nMalicious URLs and Patterns\r\nURL/Pattern Description Type\r\nhttps://paste.ee/d/s1uVin8i/0 Malicious code hosting Payload hosting\r\nhttps://paste.ee/[a-z]/[A-Za-z0-9]+/0 Generic paste.ee pattern IOC Pattern\r\nhttps://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nPage 14 of 15\n\nFile hashes\r\nFile type Hash\r\nJavascript bd4952489685f6a76fe36fc220821515\r\nxworm 6e976623d02e20d1b83e89fecd31215b\r\nSource: https://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nhttps://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure"
	],
	"report_names": [
		"pasteee-xworm-asyncrat-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775439038,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b8988fdc5e8607850be9750b8a74e549fb3714d8.pdf",
		"text": "https://archive.orkl.eu/b8988fdc5e8607850be9750b8a74e549fb3714d8.txt",
		"img": "https://archive.orkl.eu/b8988fdc5e8607850be9750b8a74e549fb3714d8.jpg"
	}
}