The campaign exploits an Office vulnerability to deliver the modular XWorm RAT, chaining HTA, PowerShell, and in-memory .NET execution to sidestep detection and expand post-compromise control.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

A phishing campaign exploits CVE-2018-0802, a patched 2018 Office vulnerability, to deliver XWorm RAT malware. The attack chain uses malicious Excel add-ins, HTA files, and PowerShell to execute fileless .NET code in memory via process hollowing into msbuild.exe. XWorm communicates with C2 servers using AES encryption and supports modular plugins for credential theft, keylogging, DDoS, and remote control. Security experts note the campaign's effectiveness stems from combining routine phishing tactics with modern evasion techniques, highlighting persistent patching gaps and the need for robust post-compromise controls.

Phishing campaign chains old Office flaw with fileless XWorm RAT to evade detection