Weaponized ScreenConnect Delivers Xworm RAT

In a recent Advanced Continual Threat Hunt (ACTH) operation, Trustwave’s SpiderLabs uncovered a stealthy campaign where cybercriminals weaponized ScreenConnect, a legitimate remote management tool, to deliver the Xworm Remote Access Trojan (RAT) through a layered infection chain.

By using fake AI-related content and tampered digital certificates, the attackers managed to bypass many Endpoint Detection and Response (EDR) solutions, leaving manual threat hunting as the key method of detection.

Infection Chain Through Fake AI Sites

The campaign began with social engineering tactics. Victims were lured to a fake AI platform, gptgrok[.]ai, which redirected them to anhemvn6[.]com.

From there, users downloaded files named:

• Creation_Made_By_GrokAI.mp4 Grok.com
• Creation_Made_By_GoogleAI.mp4 Google.com
• Creation_Made_By_SoraAI.mp4 OpenAI.com

These were not videos but disguised ScreenConnect installer files (ScreenConnect.ClientSetup.msi). By leveraging AI-related keywords, attackers gave credibility to their malicious campaign.

Code-Signing Certificate Abuse

Researchers discovered that the attackers abused Microsoft Authenticode code-signing certificates. Instead of altering the binary directly, they embedded malicious parameters within the digital signature. This allowed the installer to retain a valid signature, helping it evade tampering checks and user suspicion.

Once executed, the installer placed ScreenConnect in the Temp directory, configured it to run in hidden mode, and connected back to the attacker’s server. Icons and notifications were disabled, keeping the session invisible.

Fileless Execution with Python Payloads

During the remote session, a batch file named X-META Firebase_crypted.bat launched mshta.exe, which fetched 5btc.zip from anhemvn4[.]com. Inside were:

• pw.exe (a renamed Python interpreter)
• basse64.txt (an encoded payload)

Instead of writing malicious files to disk, the attackers used process hollowing in msedge.exe and chrome.exe. The Base64-encoded Python commands were pulled from a public GitHub repository, enabling stealthy, fileless execution of Xworm RAT.

Persistence and Long-Term Access

Persistence was achieved through a Windows Run key entry labeled “Windows Security,” pointing to backup.bat inside C:\xmetavip. This script re-executed pw.exe on every login with updated Base64 commands, fetching additional payloads like buquabua.txt.

The RAT also attempted credential harvesting by extracting stored browser passwords (Chrome, Edge, Firefox) and gathering system details via WMI queries.

GitHub-Hosted Malware and Final Payload

SpiderLabs noted that the GitHub repository hosted 11 obfuscated scripts, split between RAT loaders and persistence modules, created shortly before the attacks.

One final payload, Exppiyt.txt, contained a command-and-control (C2) IP (5[.]181[.]165[.]102:7705), which at the time was not flagged on VirusTotal.

Why This Matters

This campaign highlights a dangerous trend: attackers abusing legitimate software, AI branding, and digital signatures to bypass security solutions. Traditional EDR struggled to detect this, reinforcing the importance of skilled human threat hunters who can spot subtle anomalies.

The SpiderLabs report shows that blending automation with expert analysis remains the most effective way to expose advanced threats before they cause damage.

Indicator of Compromise (IoC) Hashes