LATAM Businesses Hit by XWorm via Fake Financial Receipts: Full Campaign Analysis 

This report dissects a LATAM-focused multi-stage XWorm campaign that uses a fake bank receipt lure (obfuscated WSH/JavaScript) to spawn a hidden WMI-based PowerShell loader which downloads a steganographic .jpg from Cloudinary containing an in-memory .NET persistence DLL; that DLL registers a scheduled task via .NET APIs and the final XWorm payload is injected into CasPol.exe. The analysis includes static and dynamic confirmation, decrypted configuration (C2 jholycf100.ddns.com.br / 152.249.17.145), file hashes, payload URLs, and YARA rules to aid detection and hunting.