XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method

This report analyzes a XenoRAT remote-access tool delivered as an Excel XLL (Payment_Details.xll) using Excel‑DNA and protected with ConfuserEx; it details the dropper chain (obfuscated batch, passworded SFX RAR, extracted executables), visible decoy PDF, extracted XenoRAT payload (Original.exe) with a hardcoded C2 (87.120.116.115:1391), and provides file and network observables for detection and hunting.