Attackers are using fake invoice emails to spread XWorm, a remote-access trojan that quietly steals login credentials, passwords, and sensitive files from infected computers.
When a user opens the attached Visual Basic Script file, the malware begins working silently in the background without any visible warnings or alerts.
This makes it extremely dangerous because victims never know their system is compromised until it’s too late.
Once active, XWorm gives attackers complete control over the infected machine, allowing them to record keystrokes, spy on users, steal personal data, and even install additional threats like ransomware.
The attack begins with a simple email that appears to be a routine payment notification. These emails typically include a polite message from someone claiming to be an account officer, asking recipients to review processed invoices.
The message looks harmless enough, but the attachment contains a .vbs file that immediately executes malicious code when opened.
What makes this tactic clever is that the attackers rely on outdated technology that most people no longer expect to see in business communications.
Malwarebytes security analysts identified the malicious attachment as Backdoor.XWorm during their investigation.
XWorm operates as malware-as-a-service, meaning cybercriminals can rent or purchase access to the infrastructure that maintains backdoor connections and collects stolen data.
.webp "Hackers are Weaponizing Invoices to Deliver XWorm That Steals Login Credentials 2")
This business model has made it easier for less technically skilled attackers to launch sophisticated campaigns, increasing the overall threat landscape for both individuals and organizations.
The Visual Basic Script attachment stands out because modern businesses rarely use this file type anymore. Most email security systems block .vbs files automatically since they can run code directly on a computer without any additional steps.
However, when these attachments manage to slip through email filters, they can cause serious damage.
The script immediately drops a batch file named IrisBud.bat into the Windows temporary folder and uses Windows Management Instrumentation to execute it invisibly.
Infection Mechanism and Execution Flow
The infection chain starts simple but quickly becomes complex through multiple stages of obfuscation.
The initial .vbs file contains 429 lines of heavily disguised code that writes another file to the system. This batch file then copies itself to the user profile directory under the name aoc.bat, ensuring persistence even if the temporary files get cleaned up.
The batch file includes a clever technique to hide its execution by checking if a specific variable exists. If not, it restarts itself in a minimized window that runs completely invisible to the user while the original process exits immediately.
Inside the batch file, attackers use padding techniques with repeated variables that serve no purpose except to confuse analysis tools and security researchers.
These dummy variables make the code appear longer and more complicated than it actually is. After removing this padding, the real commands become visible, including instructions to copy files, read encoded data, and launch PowerShell scripts.
The batch file contains two hidden payload sections that look like ordinary comments starting with double colons, but these actually hold encrypted malware data.
The PowerShell script performs the final stage of the attack by reading the hidden payloads from aoc.bat, decrypting them using AES encryption with a hardcoded key, and decompressing the data with GZip.
This produces two executable files that load directly into memory without ever being saved to disk, a technique called fileless execution that helps avoid detection by traditional antivirus software.
The sandbox analysis revealed a mutex identifier 5wyy00gGpG6LF3m6 that security researchers recognize as belonging to the XWorm malware family, confirming the threat and allowing for proper classification and response.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
