Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT

The cybersecurity landscape has shifted from monolithic executables toward highly modular, script‑driven infection chains that leave little forensic evidence on disk. Attackers now stitch together batch files, PowerShell commands, and legitimate runtimes to create portable, file‑less payloads that mimic routine administrative activity. This approach reduces the attack surface for traditional antivirus solutions, which rely on static signatures, and forces defenders to rely on behavioral analytics and endpoint detection and response (EDR) platforms. The recent VOID#GEIST campaign exemplifies this trend, combining everyday Windows utilities with sophisticated in‑memory techniques.

VOID#GEIST begins with a seemingly innocuous batch script delivered via phishing and hosted on a TryCloudflare domain. The script spawns a second batch, embeds a clean Python interpreter, and extracts encrypted shellcode modules for XWorm, AsyncRAT and Xeno RAT. Decryption keys stored in JSON files enable the Python loader to decrypt the payloads, which are then injected into separate explorer.exe processes using Early Bird Asynchronous Procedure Call (APC) injection. The chain avoids privilege escalation, persists through a user‑level Startup shortcut, and communicates a minimal HTTP beacon to the attacker’s C2.

For defenders, the hallmark of VOID#GEIST is rapid, repeated injection into explorer.exe combined with hidden batch activity and a full‑screen decoy PDF. Monitoring for unexplained PowerShell re‑execution, anomalous use of AppInstallerPythonRedirector.exe, and outbound traffic to obscure Cloudflare subdomains can surface the campaign early. Organizations should enforce strict application control, limit user write permissions to the Startup folder, and deploy EDR solutions capable of detecting early‑bird APC injection patterns. Adapting to these script‑centric, file‑less tactics is essential to protect enterprise environments from next‑generation RATs.