A new wave of email attacks is on the rise, tricking people with fake invoice documents to install the dangerous XWorm RAT (Remote Access Trojan), capable of quietly stealing sensitive information from your computer, reveals the latest research from Forcepoint X-Labs.
The scam starts with an email, often pretending to be about “Facturas pendientes de pago” (Pending Invoices for Payment) from someone named Brezo Sánchez. The email includes an attached Office file that has the extension .xlam.
X-Labs researchers mention that when you open the file, it may look blank or corrupted, but the damage has already started.
Understanding the Attack Chain
As we know it, cyberattacks generally follow a chain of steps, and this one is highly detailed. Inside the attached Office file is a hidden component called oleObject1.bin, which contains an encrypted code, called shellcode. This shellcode is a small program that immediately downloads the next part of the attack.
The shellcode reaches out to a specific web address, hxxp://alpinreisan1com/UXOexe, to download the main malicious program, an executable file named UXO.exe. This program then starts the second stage- loading another harmful DLL file into the computer’s memory (DriverFixPro.dll).
This loading happens using reflective DLL injection (a sneaky way to load a harmful program directly into the computer’s memory without saving it as a regular file first). This DLL ultimately performs a process injection, which involves forcing the malicious code to run inside a normal, harmless program on your computer. This final injected code belongs to the XWorm RAT family.
XWorm: A Persistent Threat
Forcepoint’s senior researcher, Prashant Kumar, explains in the blog post that XWorm’s capabilities allow it to take full remote control over an infected system, from stealing files to logging keystrokes.
Through process injection, the malware runs secretly within a trusted application and successfully maintains persistence while avoiding detection. Lastly, the XWorm program connects to a Command & Control (C2) server, specifically 158.94.209180, to send all the victim’s stolen data to the attackers.
This important research on the multi-stage attack was shared exclusively with Hackread.com. However, it is worth noting that this is not the first time the XWorm threat has been seen this year.
In January 2025, Hackread.com reported an XWorm campaign that compromised over 18,459 devices globally, stealing browser passwords and Discord tokens. Then, in March 2025, Veriti’s research revealed that XWorm was using trusted platforms like Amazon Web Services (AWS) S3 storage to distribute its harmful files.
To protect yourself from such attacks, be cautious with attachments, especially those ending in .xlam or .bin, verify unexpected invoices by calling the sender, and regularly update your operating system and security software.
