370/68 Monday, September 29, 2025
Researchers from Forcepoint X-Labs have issued a warning about a new email campaign that uses fake invoices as lures to distribute the XWorm RAT (Remote Access Trojan). This malware allows attackers to remotely control infected machines and steal sensitive user data. The phishing emails are sent with the subject line “Facturas pendientes de pago” (“Outstanding Invoices”) and contain an .xlam Office file. When opened, the file appears empty or corrupted, but the malware has already begun executing.
The attack follows a multi-stage infection chain. Inside the attachment is a hidden component named oleObject1.bin, which contains encoded shellcode designed to download a remote executable (UXO.exe). Once executed, it loads DriverFixPro.dll into memory using Reflective DLL Injection, followed by process injection to embed XWorm RAT code into a trusted application. This stealthy technique allows the malware to operate undetected. It then connects to a C2 server (158.94.209[.]180) to exfiltrate stolen data.
Researchers confirm that XWorm RAT is highly versatile, capable of stealing files, logging keystrokes, and providing full remote system control, while also maintaining persistence through execution within legitimate applications. This is not the first XWorm campaign observed-in 2025, it was linked to attacks on over 18,000 devices worldwide, with AWS S3 being used as a malware distribution channel.
Experts advise users to exercise caution with attachments ending in .xlam or .bin, verify invoice authenticity directly with the sender, and keep operating systems and security software up to date to reduce the risk of compromise.
Source https://hackread.com/hackers-fake-invoices-xworm-rat-office-files/
