![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![Blue Archive tier list [April 2025]](https://media.pocketgamer.com/artwork/na-33404-1636469504/blue-archive-screenshot-2.jpg?#)
.png?#)
-Baldur’s-Gate-3-The-Final-Patch---An-Animated-Short-00-03-43.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
![Alleged Pixel 10 series wallpapers leak with vibrant colors and a strange new theme [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/04/pixel-10-wallpaper-leak-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=tracking}
![Apple to Split Enterprise and Western Europe Roles as VP Exits [Report]](https://www.iclarified.com/images/news/97032/97032/97032-640.jpg)
![Nanoleaf Announces New Pegboard Desk Dock With Dual-Sided Lighting [Video]](https://www.iclarified.com/images/news/97030/97030/97030-640.jpg)
![Apple's Foldable iPhone May Cost Between $2100 and $2300 [Rumor]](https://www.iclarified.com/images/news/97028/97028/97028-640.jpg)
Malicious JScript Loader Jailbreaked to Uncover Xworm Payload Execution Flow
Cybersecurity researchers have uncovered a sophisticated multi-stage attack chain utilizing JScript to deliver dangerous malware payloads. The attack, which employs a complex obfuscation technique, ultimately delivers either XWorm or Rhadamanthys malware depending on the victim’s geographic location. This loader operates through a meticulously crafted execution flow that begins with JScript, transitions to PowerShell, and culminates […] The post Malicious JScript Loader Jailbreaked to Uncover Xworm Payload Execution Flow appeared first on Cyber Security News.
Cybersecurity researchers have uncovered a sophisticated multi-stage attack chain utilizing JScript to deliver dangerous malware payloads.
The attack, which employs a complex obfuscation technique, ultimately delivers either XWorm or Rhadamanthys malware depending on the victim’s geographic location.
This loader operates through a meticulously crafted execution flow that begins with JScript, transitions to PowerShell, and culminates in the delivery of fileless malware.
The attack typically initiates through scheduled tasks or ClickFix attacks involving fake CAPTCHAs.
Victims are targeted with an mshta.exe command that executes obfuscated JScript code, which in turn generates PowerShell commands.
This technique allows attackers to bypass traditional security measures by leveraging legitimate Windows components to execute malicious code.
The initial infection vector demonstrates the attackers’ sophistication in exploiting system trust relationships.
Upon execution, the JScript loader creates a PowerShell command by ingeniously reassembling randomly ordered array elements into a coherent script.
This script then performs geolocation checks by querying an external API to determine if the victim is located in the United States, directing the attack flow accordingly.
Sophos researchers identified this geofencing delivery tactic as a deliberate attempt to target specific regions while reducing unwanted exposure.
The researchers noted that this location-based payload delivery represents an evolution in targeted malware distribution techniques, allowing threat actors to customize attacks based on geographic considerations.
The malware implements thorough anti-forensic measures, including terminating competing processes and removing potential evidence files from various system directories.
It creates persistent infection paths while maintaining a low profile to evade detection by security solutions.
Execution Flow Analysis
The most intriguing aspect of this malware is its sophisticated execution flow. After the initial JScript execution, the loader initiates a multi-stage deobfuscation process.
.webp)
A sample of the PowerShell code reveals its complexity:-
# Define the execution block
#{{E}={
# Define the type and method names
${T} = [char[]]@('A', '.', 'B')
${M} = [char[]]@('C')
# Get the type and method from the loaded assembly
${Y} = $I.GetType((${T} -join ''))
${N} = ${Y}.GetMethod((${M} -join ''))This code fragment demonstrates how the malware uses PowerShell reflection to dynamically load malicious components while evading detection.
The loader converts decimal-encoded data into executable code, which is then injected into legitimate Windows processes like RegSvcs.exe.
The final payloads differ based on geolocation. US-based victims receive XWorm, a Remote Access Trojan capable of performing DDoS attacks and cryptocurrency clipboard hijacking.
Non-US victims are infected with Rhadamanthys, a sophisticated C++ info-stealer that employs AI-powered image recognition to identify cryptocurrency wallet seed phrases.
This analysis highlights the evolution of modern malware distribution techniques, blending sophisticated obfuscation with targeted delivery mechanisms to maximize infection success while minimizing detection.
Security professionals are advised to implement robust detection mechanisms focused on identifying suspicious PowerShell execution chains and fileless injection techniques.
Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial
The post Malicious JScript Loader Jailbreaked to Uncover Xworm Payload Execution Flow appeared first on Cyber Security News.
.webp?#)
