A multi-stage malware campaign codenamed VOID#GEIST, disclosed by researchers as involving XWorm, AsyncRAT and Xeno RAT, uses batch scripts as the initial delivery path to drop encrypted payloads. The attack chain begins with a batch script fetched from a TryCloudflare domain and distributed via phishing emails, then moves through a second batch script, staging a legitimate Python runtime, and decrypting in-memory shellcode blobs.
According to Securonix Threat Research, the actors employ Early Bird APC injection to run the decrypted payloads inside memory and inject into explorer[.]exe, with the final stages invoking XWorm, Xeno RAT and AsyncRAT via a Python-based loader called runn[.]py and a legitimate AppInstallerPythonRedirector[.]exe to trigger the Python runtime.
The malware pallets are delivered as ZIP archives from a TryCloudflare domain, containing runn[.]py, new[.]bin, xn[.]bin, pul[.]bin and key files a[.]json, n[.]json and p[.]json, which are decrypted and executed without leaving obvious disk traces.
The infection culminates in a minimal HTTP beacon to attacker-controlled infrastructure, a design that favours portability, stealth and a modular, stage-wise delivery architecture—designed to blend with normal administrative activity and sustain operation across reboots by leveraging user-level startup persistence.