Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails

FortiGuard Labs describes a phishing campaign that delivers XWorm RAT to Windows users via malicious .XLAM Excel attachments exploiting CVE-2018-0802. The attack chain executes embedded shellcode in EQNEDT32.EXE to download an HTA, which runs obfuscated JScript/PowerShell to extract a fileless .NET module hidden in a JPEG; that module decodes an in-memory XWorm payload and deploys it into Msbuild.exe via process hollowing. XWorm v7.2 supports AES-encrypted C2 (berlin101.com:6000), an extensive command set and 50+ plugins for data theft, system control, DDoS and ransomware, and the report includes URLs, C2, and SHA-256 IOCs plus Fortinet protection recommendations.