logo

Phishing Campaign Uses Fake Invoice PDF to Drop AsyncRAT, VenomRAT, and XWorm

ID: 024fe563-ea23-5dee-b0fd-64a69fef6eca

STIX ID: report--024fe563-ea23-5dee-b0fd-64a69fef6eca

Feed Name: GBHackers

Threat Score
75/100

Date Published: 2026-07-02

Date Updated: 2026-07-02

Author: Mayura Kathir

...
...

A sophisticated phishing campaign distributes AsyncRAT, VenomRAT and XWorm through a ZIP > .URL > .LNK > .JS > .BAT > ma.zip chain that leverages TryCloudflare quick tunnels, obfuscated Python components that perform in-memory shellcode execution (VirtualAlloc/RtlMoveMemory/CreateThread) and Early Bird APC queue process injection; a decoy invoice PDF masks the activity. The report provides IOCs (defanged URLs, C2 IPs, multiple file hashes), describes the attack chain and recommended detections/mitigations for blocking tunnelling domains, detecting memory injection and suspicious PowerShell/Invoke-WebRequest activity.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.