{"id":15789,"date":"2026-02-12T12:41:15","date_gmt":"2026-02-12T12:41:15","guid":{"rendered":"https:\/\/newestek.com\/?p=15789"},"modified":"2026-02-12T12:41:15","modified_gmt":"2026-02-12T12:41:15","slug":"phishing-campaign-chains-old-office-flaw-with-fileless-xworm-rat-to-evade-detection","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15789","title":{"rendered":"Phishing campaign chains old Office flaw with fileless XWorm RAT to evade detection"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Fortinet researchers have disclosed a new phishing campaign delivering the commercially available XWorm<\/a> malware, chaining a years-old Microsoft Office vulnerability with fileless execution to escape detection.<\/p>\n

The campaign, which uses multi-themed phishing emails and a malicious Excel add-in, ultimately deploys the modular remote access trojan (RAT) capable of encrypted command-and control (C2) and plugin-based expansion.<\/p>\n

\u201cThis campaign is striking in its ordinariness,\u201d said Shane Barney, chief information security officer at Keeper Security. \u201cThere\u2019s no breakthrough technique here. It\u2019s a clean execution chain built from components we\u2019ve all seen before. The sophistication isn\u2019t in the novelty, it\u2019s in the assembly.\u201d<\/p>\n

Attackers used a phishing email carrying a malicious Excel add-in that exploits CVE-2018-0802<\/a>, a memory corruption flaw in Office patched in 2018. The attack then continues into HTA and PowerShell-based execution to load additional components of the attack.<\/p>\n

<\/a>Attackers used a familiar entry point<\/h2>\n

According to a Fortinet blog post<\/a>, the campaign relies on business-themed phishing lures and the legacy remote code execution vulnerability in the Microsoft Equation Editor that defenders have known for years. Fortinet noted that the continued success of CVE-2018-0802 suggests patching gaps remain a viable attack surface.<\/p>\n

Jason Soroko, senior fellow at Sectigo, said the pairing of routine phishing with modern backend tradecraft is what makes the campaign notable.<\/p>\n

\u201cWhat stands out here is how \u2018old\u2019 and \u2018routine\u2019 the front end is, and how modern the back end remains,\u201d he said. \u201cThe lure is a familiar business pretexting and a malicious Excel add-in, but the real signal is the attacker\u2019s confidence that legacy Office exploit paths still convert at scale. The attachment abuses CVE-2018-0802, then pivots quickly into HTA plus PowerShell to keep the heavy lifting off disk.\u201d<\/p>\n

Fortinet researchers added that the remote code privileges gained through CVE-2018-0802 further allow execution of HTA and PowerShell components, keeping much of the activity off disk. \u201cThat combination is a reminder that patch hygiene and macro or script execution policy are still doing more real work than most organizations want to admit,\u201d Soroko added.<\/p>\n

<\/a>Fileless .NET stage and a modular XWorm core<\/h2>\n

Beyond initial access, Fortinet observed a fileless .NET stage loaded directly into memory, followed by process hollowing into msbuild.exe, a legitimate Microsoft build<\/a> tool capable of executing .NET code. The choice of msbuild.exe aligns with the malware\u2019s runtime requirements while helping it blend into normal system activity.<\/p>\n

\u201cA fileless .NET stage loaded in memory, followed by process hollowing into msbuild.exe, is a clean \u2018blend in\u2019 move that leverages a legitimate .NET-capable binary and complicates attribution for simplistic detections,\u201d Soroko said. \u201cFortinet\u2019s rationale for msbuild.exe is especially useful for defenders because it ties the LOLBin choice to the malware\u2019s .NET runtime needs, not just generic masquerading.\u201d<\/p>\n

Once active, XWorm communicates with its C2 using an AES-encrypted packet, which supports a broad plugin ecosystem. That modularity, the researchers noted, expands its capabilities beyond remote access, enabling credential theft, data exfiltration, disruption, and modernization paths depending on what the operator wants.<\/p>\n

Fortinet said XWorm supports a wide range of operator commands, including system control (CLOSE, uninstall, update), file download and execution (DW, LN), plugin loading, screenshot capture ($Cap), keylogger retrieval, DDoS control, and shutdown or restart functions. The disclosure also listed indicators of compromise tied to the campaign, including phishing URLs and domains used to host HTA and loader files, the C2 server, file hashes for the malicious Excel attachment, and the final XWorm payload. <\/p>\n

Barney emphasized that the broader risk hinges less on the malware label and more on post-compromise controls. \u201cCampaigns like this expose a simple reality: the entry vector is predictable. The tooling is commoditized. The only real variable is whether the environment limits what an intruder can do next,\u201d he said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Fortinet researchers have disclosed a new phishing campaign delivering the commercially available XWorm malware, chaining a years-old Microsoft Office vulnerability with fileless execution to escape detection. The campaign, which uses multi-themed phishing emails and a malicious Excel add-in, ultimately deploys the modular remote access trojan (RAT) capable of encrypted command-and control (C2) and plugin-based expansion. \u201cThis campaign is striking in its ordinariness,\u201d said Shane Barney,… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15789","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15789","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15789"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15789\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15789"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15789"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15789"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}