Paste.ee Abuse Uncovered: XWorm & AsyncRAT Infrastructure

A security research team identified an obfuscated JavaScript downloader posted to MalwareBazaar that strips unusual Unicode junk to reconstruct an MSXML2.XMLHTTP request to paste.ee, fetch a staged payload, and execute it; analysis linked the payloads to XWorm (keylogger/stealer RAT) and AsyncRAT infrastructure. The report documents specific IOCs (paste.ee URLs and patterns, domains, IPs such as 45.145.43.244 and 66.63.187.154, C2 ports like 6606/7707/8808, and file hashes), describes detection approaches (regex hunting, httpx, SSL certificate/ fingerprinting), and recommends blocking identified domains/URLs, monitoring unusual ports, and updating defenses to detect obfuscated JavaScript downloaders.