VOID#GEIST Malware

Cybersecurity researchers have uncovered a sophisticated multi-stage malware campaign that relies on batch scripts to deliver encrypted remote access trojan (RAT) payloads. The campaign, identified as VOID#GEIST, deploys several RAT families, including XWorm, AsyncRAT, and Xeno RAT.

The attack chain leverages an obfuscated batch script that initiates a sequence of actions designed to evade detection. These actions include launching an additional batch script, staging a legitimate embedded Python runtime environment, and decrypting encrypted shellcode payloads. The shellcode is executed directly in memory after being injected into separate instances of the Windows process explorer.exe using a technique known as Early Bird Asynchronous Procedure Call (APC) injection.

Script-Driven Malware Delivery: A Modern Threat Model

Modern threat actors are increasingly abandoning traditional standalone executable malware in favor of layered, script-based delivery frameworks that mimic legitimate user behavior. Rather than deploying conventional Portable Executable (PE) binaries, attackers orchestrate multi-component pipelines that combine several legitimate technologies and scripting environments.

Typical components used within these frameworks include:

• Batch scripts used to orchestrate the infection sequence.
• PowerShell commands that facilitate stealthy payload staging.
• Embedded legitimate runtimes that ensure portability across systems.
• Raw shellcode executed directly in memory to maintain persistence and control.

This fileless execution approach significantly reduces opportunities for disk-based detection. Each individual stage appears relatively harmless when examined independently and often resembles routine administrative activity, allowing threat actors to operate within compromised environments without raising immediate security alerts.

Initial Access Through Phishing and Cloudflare Infrastructure

The entry point of the attack begins with a malicious batch script delivered through phishing emails. The script is retrieved from infrastructure hosted on a TryCloudflare domain. Once executed, the script deliberately avoids privilege escalation attempts and instead operates strictly within the permission boundaries of the currently logged-in user.

This strategy allows the malware to establish its initial foothold while blending into routine user-level operations. By avoiding actions that require elevated privileges, the attack reduces the likelihood of triggering security warnings or administrative prompts.

Visual Distraction and Stealth Execution Techniques

Following execution, the first stage of the malware launches a decoy document to distract the victim. Google Chrome is opened in full-screen mode to display a financial document or invoice presented as a PDF. While the user focuses on the document, malicious activity continues in the background.

Simultaneously, a PowerShell command is executed to relaunch the original batch script with hidden execution parameters. The use of the -WindowStyle Hidden parameter prevents a visible console window from appearing, ensuring that the malicious activity remains concealed from the user.

Persistence Through User-Level Startup Execution

To maintain persistence after system reboots, the malware deploys an auxiliary batch script into the Windows user Startup directory. This location ensures that the script is automatically executed whenever the victim logs in to the system.

This persistence mechanism is intentionally subtle. Instead of using more intrusive techniques such as modifying system registry keys, creating scheduled tasks, or installing services, the malware relies exclusively on standard user-level startup behavior. Because the approach operates entirely within the context of the current user’s privileges, it avoids triggering privilege escalation prompts and reduces the likelihood of detection by registry monitoring tools.

Payload Retrieval and Decryption Framework

During the next stage of the infection chain, the malware contacts a TryCloudflare domain to retrieve additional payload components packaged in ZIP archives. These archives contain the modules required to decrypt and execute the final malware payloads.

The downloaded archive typically contains the following components:

• runn.py – a Python-based loader responsible for decrypting and injecting encrypted shellcode modules into memory
• new.bin – encrypted shellcode payload associated with XWorm
• xn.bin – encrypted shellcode payload corresponding to Xeno RAT
• pul.bin – encrypted shellcode payload corresponding to AsyncRAT
• a.json, n.json, and p.json – key files used by the Python loader to decrypt the shellcode payloads dynamically during runtime

This modular design enables the attackers to stage different payloads independently and activate them only when required.

Embedded Python Runtime for Portability and Stealth

Once the archive is extracted, the malware deploys a legitimate embedded Python runtime obtained directly from python.org. Embedding a legitimate interpreter eliminates reliance on any Python installation that may already exist on the compromised system.

From an attacker’s perspective, this step provides several strategic advantages. The malware becomes a self-contained execution environment capable of decrypting and injecting payloads without requiring external dependencies. This improves portability across different systems, enhances reliability, and contributes to operational stealth by using legitimate software components.

In-Memory Execution of Multiple RAT Payloads

The embedded Python runtime is then used to execute the runn.py loader script. The loader decrypts the shellcode associated with XWorm and injects it into a running instance of explorer.exe using Early Bird APC injection.

To deploy Xeno RAT, the malware leverages a legitimate Microsoft binary called AppInstallerPythonRedirector.exe, which is used to invoke Python and execute the required components. The same injection technique is subsequently reused to deploy AsyncRAT, ensuring that all payloads are executed entirely in memory without leaving traditional executable artifacts on disk.

Command-and-Control Beaconing and Modular Architecture

The final stage of the attack involves sending a minimal HTTP beacon to attacker-controlled Command-and-Control (C2) infrastructure hosted on TryCloudflare. This beacon confirms that the system has been successfully compromised and is ready to receive further instructions.

Although the specific targets of the campaign remain unknown, the infection chain demonstrates a highly modular architecture. Rather than deploying a single large malware payload, the attackers introduce components incrementally across multiple stages. This design improves operational flexibility and resilience.

From a detection perspective, one notable behavioral indicator emerges throughout the campaign: repeated process injection into explorer.exe within short time intervals. This pattern can serve as a strong signal for defenders attempting to correlate suspicious activity across different stages of the attack lifecycle.