{"id":18515,"date":"2026-02-17T11:09:32","date_gmt":"2026-02-17T11:09:32","guid":{"rendered":"\/cybersecurity-blog\/?p=18515"},"modified":"2026-02-26T09:39:30","modified_gmt":"2026-02-26T09:39:30","slug":"xworm-latam-campaign","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/","title":{"rendered":"LATAM Businesses Hit by\u00a0XWorm\u00a0via Fake Financial Receipts: Full Campaign Analysis\u00a0"},"content":{"rendered":"\n<p><em><strong>Editor\u2019s note:<\/strong>&nbsp;The current article is authored by Moises Cerqueira, malware researcher and threat hunter. You can find <a href=\"https:\/\/www.linkedin.com\/in\/moises-cerqueira\/\" target=\"_blank\" rel=\"noreferrer noopener\">Moises on LinkedIn<\/a><\/em>.<\/p>\n\n\n\n<p>Malware campaigns targeting Latin America (LATAM) are evolving. While the final payloads, often commodity RATs like&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/xworm\/\" target=\"_blank\" rel=\"noreferrer noopener\">XWorm<\/a>,&nbsp;remain consistent, delivery mechanisms are becoming increasingly sophisticated to bypass region-specific&nbsp;defenses&nbsp;and increase the chance of reaching&nbsp;real business&nbsp;users.&nbsp;<\/p>\n\n\n\n<p>In this analysis, we dissect a recent campaign targeting Brazilian users. What starts as a <strong>deceptive \u201cbanking receipt\u201d<\/strong> quickly turns into a multi-stage infection chain that\u00a0leverages\u00a0steganography,\u00a0Cloudinary abuse, and a dedicated .NET persistence module designed to bypass traditional\u00a0schtasks\u00a0monitoring, reducing early visibility for security teams and prolonging dwell time.\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Multistage-malware-infection-analysis_XWorm-RAT-v5_6-1024x538.png\" alt=\"\" class=\"wp-image-18812\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Multistage-malware-infection-analysis_XWorm-RAT-v5_6-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Multistage-malware-infection-analysis_XWorm-RAT-v5_6-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Multistage-malware-infection-analysis_XWorm-RAT-v5_6-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Multistage-malware-infection-analysis_XWorm-RAT-v5_6-1536x806.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Multistage-malware-infection-analysis_XWorm-RAT-v5_6-2048x1075.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Multistage-malware-infection-analysis_XWorm-RAT-v5_6-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Multistage-malware-infection-analysis_XWorm-RAT-v5_6-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Multistage-malware-infection-analysis_XWorm-RAT-v5_6-740x389.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Complete&nbsp;infection&nbsp;chain&nbsp;from&nbsp;WScript&nbsp;execution&nbsp;to&nbsp;CasPol&nbsp;injection<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Key&nbsp;Takeaways&nbsp;<\/h2>\n\n\n\n<p><strong>Built to blend into finance workflows: <\/strong>A \u201creceipt\u201d lure is optimized for real corporate inboxes and shared drives across LATAM.<\/p>\n\n\n\n<p><strong>High click potential in real operations: <\/strong>Payment and receipt themes map to everyday processes, which raises the chance of execution on work machines.<\/p>\n\n\n\n<p><strong>The&nbsp;chain&nbsp;is&nbsp;designed&nbsp;to&nbsp;stay&nbsp;quiet:&nbsp;<\/strong>WMI&nbsp;execution,&nbsp;fileless&nbsp;loading,&nbsp;and&nbsp;.NET-based&nbsp;persistence&nbsp;reduce&nbsp;early&nbsp;detection&nbsp;signals&nbsp;and&nbsp;increase&nbsp;dwell&nbsp;time.&nbsp;<\/p>\n\n\n\n<p><strong>One&nbsp;endpoint&nbsp;can&nbsp;become&nbsp;an&nbsp;identity&nbsp;problem:&nbsp;<\/strong>XWorm&nbsp;access&nbsp;can&nbsp;lead&nbsp;to&nbsp;credential\/session&nbsp;theft&nbsp;and&nbsp;downstream&nbsp;compromise&nbsp;of&nbsp;email, SaaS,&nbsp;and&nbsp;finance&nbsp;systems.&nbsp;<\/p>\n\n\n\n<p><strong>Trusted services and binaries are part of the evasion: <\/strong>Cloud-hosted payload delivery and CasPol.exe abuse help the activity blend in.<\/p>\n\n\n\n<p><strong>Early detection is an operational advantage: <\/strong>Better monitoring + faster triage + <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-for-soc-and-mssp\/\" target=\"_blank\" rel=\"noreferrer noopener\">regional hunting<\/a> can keep his attack from escalating into fraud, data exposure, or ransomware.<br><\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">74% of Fortune 100 companies \n<\/span>rely on ANY.RUN <br>for earlier detection and <span class=\"highlight\">faster SOC<\/span> response \n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=xworm-latam-campaign&#038;utm_term=170226&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nPower your SOC now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Stage 1: The&nbsp;Deceptive&nbsp;Delivery&nbsp;<\/h2>\n\n\n\n<p>This campaign begins with a classic but effective technique aimed at Brazilian users: a malicious file masquerading as a bank receipt (\u201cComprovante-Bradesco\u2026\u201d). While it abuses the double-extension trick&nbsp;(.pdf.js) to look like a document, it is,&nbsp;in reality, a&nbsp;Windows Script Host (WSH) dropper designed for direct execution&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"391\" height=\"551\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig02_FileProperties.png\" alt=\"The file tries\u00a0to\u00a0masquerade\u00a0as a PDF\u00a0document\" class=\"wp-image-18520\" style=\"width:335px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig02_FileProperties.png 391w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig02_FileProperties-213x300.png 213w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig02_FileProperties-370x521.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig02_FileProperties-270x380.png 270w\" sizes=\"(max-width: 391px) 100vw, 391px\" \/><figcaption class=\"wp-element-caption\"><em>The file tries&nbsp;to&nbsp;masquerade&nbsp;as a PDF&nbsp;document&nbsp;with&nbsp;a fake&nbsp;extension&nbsp;to&nbsp;deceive&nbsp;the&nbsp;user.<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Although the file size is unusually large (~1.2MB) for a simple script, this is intentional. The attackers padded it with junk data to inflate entropy and evade static analysis scanners that may skip larger files, helping the lure pass through&nbsp;initial&nbsp;controls and delaying detection.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Analyzing&nbsp;the&nbsp;Obfuscated&nbsp;JavaScript&nbsp;<\/h3>\n\n\n\n<p>Upon opening the file,&nbsp;there\u2019s&nbsp;no readable code. Instead, the script uses heavy obfuscation via Unicode \u201cjunk injection.\u201d The malicious logic is buried inside massive string variables packed with emojis, homoglyphs, and other non-ASCII characters&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"134\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig03_ObfuscatedCode-1024x134.png\" alt=\"Heavily\u00a0obfuscated\u00a0code\u00a0using\u00a0Unicode\u00a0characters\u00a0and\u00a0emojis\" class=\"wp-image-18521\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig03_ObfuscatedCode-1024x134.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig03_ObfuscatedCode-300x39.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig03_ObfuscatedCode-768x101.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig03_ObfuscatedCode-1536x201.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig03_ObfuscatedCode-2048x269.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig03_ObfuscatedCode-370x49.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig03_ObfuscatedCode-270x35.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig03_ObfuscatedCode-740x97.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Heavily&nbsp;obfuscated&nbsp;code&nbsp;using&nbsp;Unicode&nbsp;characters&nbsp;and&nbsp;emojis.<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>As seen above, the script uses a delimiter-based reconstruction method. Rather than relying on complex cryptography, it applies a&nbsp;simple .replace() function at runtime to strip away the injected Unicode noise (the delimiters) and reconstruct the payload&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Deobfuscation&nbsp;and&nbsp;Payload&nbsp;Extraction&nbsp;<\/h3>\n\n\n\n<p>To&nbsp;understand&nbsp;the&nbsp;dropper\u2019s&nbsp;intent,&nbsp;we&nbsp;replicated&nbsp;the&nbsp;deobfuscation&nbsp;logic&nbsp;using&nbsp;CyberChef.&nbsp;By&nbsp;stripping&nbsp;the&nbsp;specific&nbsp;Unicode&nbsp;delimiters&nbsp;and&nbsp;decoding&nbsp;the&nbsp;resulting&nbsp;Base64&nbsp;and&nbsp;UTF-16LE&nbsp;text,&nbsp;we&nbsp;revealed&nbsp;the&nbsp;core&nbsp;payload.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"490\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/1-1024x490.png\" alt=\"Using CyberChef to strip Unicode delimiters\" class=\"wp-image-18543\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/1-1024x490.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/1-300x143.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/1-768x367.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/1-1536x735.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/1-370x177.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/1-270x129.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/1-740x354.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/1.png 2005w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Using&nbsp;CyberChef&nbsp;to&nbsp;strip Unicode&nbsp;delimiters&nbsp;and&nbsp;reveal&nbsp;the&nbsp;PowerShell&nbsp;command<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The&nbsp;deobfuscated&nbsp;payload&nbsp;confirms&nbsp;that&nbsp;this&nbsp;is&nbsp;a&nbsp;pure&nbsp;dropper. It&nbsp;constructs&nbsp;a&nbsp;PowerShell&nbsp;command&nbsp;responsible&nbsp;for&nbsp;downloading&nbsp;the&nbsp;next&nbsp;stage.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Speed up \n<\/span>alert triage <br>Validate real threats <span class=\"highlight\">in minutes<\/span> \n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=xworm-latam-campaign&#038;utm_term=170226&#038;utm_content=linktoregistration\" rel=\"noopener\" target=\"_blank\">\nRegister now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Evasion&nbsp;via WMI&nbsp;Execution&nbsp;<\/h3>\n\n\n\n<p>An interesting aspect of this sample is how it executes the payload. Instead of using the noisier WScript.Shell.Run, it leverages WMI (Windows Management Instrumentation) via GetObject(&#8220;winmgmts:root\\\\cimv2&#8221;) and Win32_Process.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"696\" height=\"611\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig05_AnyRun_ProcessGraph.png\" alt=\"ANY.RUN process graph\" class=\"wp-image-18524\" style=\"width:536px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig05_AnyRun_ProcessGraph.png 696w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig05_AnyRun_ProcessGraph-300x263.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig05_AnyRun_ProcessGraph-370x325.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig05_AnyRun_ProcessGraph-270x237.png 270w\" sizes=\"(max-width: 696px) 100vw, 696px\" \/><figcaption class=\"wp-element-caption\"><em>The&nbsp;execution&nbsp;flow&nbsp;in ANY.RUN&nbsp;confirms&nbsp;the&nbsp;use&nbsp;of&nbsp;WMI&nbsp;to&nbsp;spawn&nbsp;PowerShell<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This technique allows the attacker to set&nbsp;ShowWindow&nbsp;= 0, spawning the PowerShell process in a hidden window to avoid alerting the user. The script also implements a hardcoded&nbsp;Sleep(5000) delay, likely to ensure the system is ready and to bypass simplistic sandbox heuristics that expect immediate malicious behavior.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Stage&nbsp;2:&nbsp;PowerShell,&nbsp;Steganography,&nbsp;and&nbsp;Argument&nbsp;Decoding&nbsp;<\/h2>\n\n\n\n<p>Upon decoding the PowerShell command launched by the JavaScript dropper, we find a script designed to act as a stealthy bridge. It performs three critical tasks: downloading a disguised resource, extracting a fileless loader(Stage 3), and preparing the configuration for the final infection.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Abusing&nbsp;Cloudinary&nbsp;for&nbsp;Evasion&nbsp;<\/h3>\n\n\n\n<p>The script initializes a `System.Net.WebClient` and sets a specific User-Agent to mimic a legitimate browser. It then reaches out to a hardcoded URL hosted on Cloudinary, a popular image hosting service.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"806\" height=\"82\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/9.png\" alt=\"malware abuses Cloudinary\" class=\"wp-image-18552\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/9.png 806w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/9-300x31.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/9-768x78.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/9-370x38.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/9-270x27.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/9-740x75.png 740w\" sizes=\"(max-width: 806px) 100vw, 806px\" \/><figcaption class=\"wp-element-caption\"><em>The malware abuses&nbsp;legitimate&nbsp;infrastructure&nbsp;(Cloudinary)&nbsp;to&nbsp;bypass&nbsp;domain&nbsp;reputation&nbsp;filters<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The URL&nbsp;is&nbsp;constructed&nbsp;at&nbsp;runtime&nbsp;using&nbsp;a&nbsp;simple&nbsp;replace&nbsp;function&nbsp;(.Replace(&#8216;#&#8217;, &#8216;h&#8217;))&nbsp;to&nbsp;evade&nbsp;static&nbsp;string&nbsp;detection.&nbsp;To&nbsp;the&nbsp;network&nbsp;perimeter,&nbsp;this&nbsp;trafficlooks&nbsp;like a&nbsp;user&nbsp;downloading&nbsp;a standard JPEG&nbsp;image.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Steganography&nbsp;and&nbsp;In-Memory&nbsp;Loading&nbsp;<\/h3>\n\n\n\n<p>The&nbsp;downloaded&nbsp;file (optimized_MSI_lpsd9p.jpg)&nbsp;carries&nbsp;a&nbsp;hidden&nbsp;payload. The&nbsp;PowerShell&nbsp;script does&nbsp;not&nbsp;save&nbsp;this&nbsp;file&nbsp;to&nbsp;disk as&nbsp;an&nbsp;image.&nbsp;Instead, it&nbsp;readsthe&nbsp;data&nbsp;stream&nbsp;and&nbsp;searches&nbsp;for&nbsp;specific&nbsp;markers:&nbsp;BaseStart-&nbsp;and&nbsp;-BaseEnd.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"836\" height=\"506\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/3.png\" alt=\"The\u00a0Stage\u00a03\u00a0loader\u00a0is\u00a0embedded\u00a0within\u00a0the\u00a0image\u00a0file\u00a0boundaries\" class=\"wp-image-18544\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/3.png 836w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/3-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/3-768x465.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/3-370x224.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/3-270x163.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/3-740x448.png 740w\" sizes=\"(max-width: 836px) 100vw, 836px\" \/><figcaption class=\"wp-element-caption\"><em>The&nbsp;Stage&nbsp;3&nbsp;loader&nbsp;is&nbsp;embedded&nbsp;within&nbsp;the&nbsp;image&nbsp;file&nbsp;boundaries<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The data&nbsp;between&nbsp;these&nbsp;markers&nbsp;is&nbsp;a Base64-encoded .NET&nbsp;assembly&nbsp;(Stage&nbsp;3). The script&nbsp;extracts&nbsp;this&nbsp;blob&nbsp;and&nbsp;loads&nbsp;it&nbsp;directly&nbsp;into&nbsp;memory&nbsp;using[Reflection.Assembly]::Load().&nbsp;This&nbsp;&#8220;fileless&#8221;&nbsp;technique&nbsp;ensures&nbsp;that&nbsp;theStage&nbsp;3&nbsp;loader&nbsp;never&nbsp;touches&nbsp;the&nbsp;hard drive,&nbsp;evading&nbsp;traditional&nbsp;antivirus&nbsp;scans.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Deciphering&nbsp;the&nbsp;Configuration&nbsp;Arguments&nbsp;<\/h3>\n\n\n\n<p>Before invoking the loaded assembly, the PowerShell script prepares a massive argument string (`$argsBase64`). This is where the malware\u2019s true intent is revealed.<\/p>\n\n\n\n<p>Deobfuscating this string (Base64 \u2192 UTF-16LE) yields a comma-separated list of parameters that control the behavior of the next stages. Most notably, the first argument appears to be a random string: <strong>&#8216;0hHduAjMxQjNwYTMxAjNyAjMf9mdpVXcyF2LyJmLt92YuM3byZXasJXZsV3b29yL6MHc0RHa&#8217;<\/strong><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"131\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Reversing-and-decoding-1024x131.png\" alt=\"Reversing\u00a0and\u00a0decoding\u00a0the\u00a0argument\u00a0reveals\u00a0the\u00a0final\u00a0payload\u00a0URL\" class=\"wp-image-18545\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Reversing-and-decoding-1024x131.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Reversing-and-decoding-300x38.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Reversing-and-decoding-768x98.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Reversing-and-decoding-370x47.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Reversing-and-decoding-270x35.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Reversing-and-decoding-740x95.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Reversing-and-decoding.png 1260w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Reversing&nbsp;and&nbsp;decoding&nbsp;the&nbsp;argument&nbsp;reveals&nbsp;the&nbsp;final&nbsp;payload&nbsp;URL<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Upon&nbsp;closer&nbsp;inspection,&nbsp;this&nbsp;string&nbsp;is&nbsp;actually&nbsp;Reversed&nbsp;Base64.&nbsp;By&nbsp;reversing&nbsp;the&nbsp;string&nbsp;order&nbsp;and&nbsp;decoding&nbsp;it,&nbsp;we&nbsp;uncover&nbsp;the&nbsp;URL for&nbsp;the&nbsp;final&nbsp;XWorm&nbsp;payload (Stage&nbsp;4):&nbsp;https:\/\/voulerlivros.com.br\/arquivo_20260116064120. txt<\/p>\n\n\n\n<p>The&nbsp;other&nbsp;arguments&nbsp;confirm&nbsp;the&nbsp;injection&nbsp;target&nbsp;and&nbsp;installation&nbsp;paths:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Injection&nbsp;Target:<\/strong>&nbsp;CasPol&nbsp;(defined&nbsp;twice&nbsp;in&nbsp;the&nbsp;arguments)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Install&nbsp;Directory:<\/strong>&nbsp;C:\\Users\\Public\\Downloads\\&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fallback&nbsp;URL:<\/strong>&nbsp;&#8230;\/bkp&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>With&nbsp;these&nbsp;arguments&nbsp;prepared,&nbsp;the&nbsp;script&nbsp;invokes&nbsp;the&nbsp;Main&nbsp;method&nbsp;of&nbsp;the&nbsp;in-memory&nbsp;assembly,&nbsp;passing&nbsp;the&nbsp;configuration&nbsp;that&nbsp;drives&nbsp;the&nbsp;final&nbsp;phase&nbsp;of&nbsp;the&nbsp;attack.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Stage&nbsp;3: The&nbsp;Persistence&nbsp;Module (A&nbsp;Dedicated&nbsp;.NET DLL)&nbsp;<\/h2>\n\n\n\n<p>Contrary to what one might expect in a simple infection chain, the payload extracted from the image file is not the XWorm RAT itself. Instead, it is a specialized VB.NET DLL designed with a single purpose: Survival.<\/p>\n\n\n\n<p>This&nbsp;stage&nbsp;acts&nbsp;as a&nbsp;dedicated&nbsp;persistence&nbsp;module. It does&nbsp;not&nbsp;communicate&nbsp;with&nbsp;a C2,&nbsp;nor&nbsp;does it download files. Its&nbsp;job&nbsp;is&nbsp;to&nbsp;ensure&nbsp;that&nbsp;the&nbsp;infection survives&nbsp;a reboot&nbsp;by&nbsp;registering&nbsp;a&nbsp;Scheduled&nbsp;Task.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nStop <span class=\"highlight\">multi-stage attacks\n<\/span>before they spread<br>Give your SOC <span class=\"highlight\">real execution visibility<\/span> \n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=xworm-latam-campaign&#038;utm_term=170226&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nIntegrate now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Evading&nbsp;Detection&nbsp;via .NET APIs&nbsp;<\/h3>\n\n\n\n<p>Most commodity malware takes the easy route: spawning cmd.exe \/c schtasks \/create&#8230;. This is &#8220;noisy&#8221; and easily flagged by EDRs monitoring child processes.<\/p>\n\n\n\n<p>This sample takes a stealthier approach. It abuses the Task Scheduler Managed Wrapper, interacting directly with the Windows Task Scheduler via COM interfaces (TaskService, TaskDefinition) within the.NET framework.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"469\" height=\"459\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/DLL-bypasses-schtasks.exe_.png\" alt=\"DLL bypasses schtasks.exe\" class=\"wp-image-18551\" style=\"width:431px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/DLL-bypasses-schtasks.exe_.png 469w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/DLL-bypasses-schtasks.exe_-300x294.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/DLL-bypasses-schtasks.exe_-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/DLL-bypasses-schtasks.exe_-370x362.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/DLL-bypasses-schtasks.exe_-270x264.png 270w\" sizes=\"(max-width: 469px) 100vw, 469px\" \/><figcaption class=\"wp-element-caption\"><em>The DLL&nbsp;bypasses&nbsp;schtasks.exe&nbsp;by&nbsp;using&nbsp;.NET APIs&nbsp;to&nbsp;register&nbsp;persistence&nbsp;directly<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>By doing this, the malware leaves no command-line artifacts. To a defender looking at process logs, the task appears to &#8220;materialize&#8221; without a corresponding execution command.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The&nbsp;Infection&nbsp;Loop&nbsp;<\/h3>\n\n\n\n<p>The&nbsp;persistence&nbsp;mechanism&nbsp;reveals&nbsp;the&nbsp;modular&nbsp;nature&nbsp;of&nbsp;this&nbsp;campaign. The&nbsp;scheduled&nbsp;task&nbsp;created&nbsp;by&nbsp;this&nbsp;DLL does&nbsp;not&nbsp;launch&nbsp;XWorm&nbsp;directly.&nbsp;Instead, it&nbsp;isconfigured&nbsp;to&nbsp;re-execute&nbsp;the&nbsp;Stage&nbsp;2&nbsp;PowerShell&nbsp;loader.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"716\" height=\"161\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/ANY.RUN-scheduler.png\" alt=\"ANY.RUN scheduler\" class=\"wp-image-18546\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/ANY.RUN-scheduler.png 716w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/ANY.RUN-scheduler-300x67.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/ANY.RUN-scheduler-370x83.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/ANY.RUN-scheduler-270x61.png 270w\" sizes=\"(max-width: 716px) 100vw, 716px\" \/><figcaption class=\"wp-element-caption\"><em>The&nbsp;created&nbsp;task&nbsp;ensures&nbsp;the&nbsp;PowerShell&nbsp;loader&nbsp;runs&nbsp;at&nbsp;logon,&nbsp;restarting&nbsp;the&nbsp;cycle<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Stage 4: The&nbsp;XWorm&nbsp;Payload&nbsp;&amp;&nbsp;CasPol&nbsp;Abuse&nbsp;<\/h2>\n\n\n\n<p>Following the configuration passed by the PowerShell loader, the final payload is retrieved from the URL https:\/\/voulerlivros&#8230;\/arquivo_20260116064120. txt.<\/p>\n\n\n\n<p>Despite the .txt extension, the content is not plain text. It is a reversed Base64 string. This lightweight obfuscation technique can still be effective against content scanners that expect standard Base64 patterns. Once reversed and decoded, the resulting binary is a .NET executable identified as XWorm v5.6.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1022\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Payload-extraction-1022x1024.png\" alt=\"\" class=\"wp-image-18548\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Payload-extraction-1022x1024.png 1022w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Payload-extraction-300x300.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Payload-extraction-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Payload-extraction-768x770.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Payload-extraction-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Payload-extraction-370x371.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Payload-extraction-270x271.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Payload-extraction-740x742.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Payload-extraction.png 1254w\" sizes=\"(max-width: 1022px) 100vw, 1022px\" \/><figcaption class=\"wp-element-caption\"><em>Reversing&nbsp;the&nbsp;text&nbsp;file&nbsp;reveals&nbsp;the&nbsp;valid&nbsp;PE header&nbsp;of&nbsp;the&nbsp;XWorm&nbsp;payload<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Living off&nbsp;the&nbsp;Land: CasPol.exe&nbsp;Injection&nbsp;<\/h3>\n\n\n\n<p>The malware does not execute as a standalone process. Instead, it injects itself into CasPol.exe (Code Access Security Policy Tool), a legitimate&nbsp;binary&nbsp;located&nbsp;at C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CasPol.exe.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"677\" height=\"551\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig12_CasPol_Malicious.png\" alt=\"CasPol.exe\u00a0binary\u00a0is\u00a0hollowed\u00a0out\u00a0to\u00a0host\u00a0the\u00a0malicious\u00a0payload\" class=\"wp-image-18538\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig12_CasPol_Malicious.png 677w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig12_CasPol_Malicious-300x244.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig12_CasPol_Malicious-370x301.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig12_CasPol_Malicious-270x220.png 270w\" sizes=\"(max-width: 677px) 100vw, 677px\" \/><figcaption class=\"wp-element-caption\"><em>The&nbsp;legitimate&nbsp;CasPol.exe&nbsp;binary&nbsp;is&nbsp;hollowed&nbsp;out&nbsp;to&nbsp;host&nbsp;the&nbsp;malicious&nbsp;payload<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>By abusing this <a href=\"https:\/\/any.run\/cybersecurity-blog\/lolbin-attacks-soc-detection-guide\/\" target=\"_blank\" rel=\"noreferrer noopener\">&#8220;Living off the Land&#8221; binary<\/a> (LOLBIN), the malware attempts to blend in with trusted system processes. However, in the <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=xworm-latam-campaign&amp;utm_term=170226&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN sandbox<\/a>, this anomaly is immediately flagged due to the suspicious network activity originating from a trusted utility.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cracking&nbsp;the&nbsp;Crypto&nbsp;(Static&nbsp;Analysis)&nbsp;<\/h3>\n\n\n\n<p>A deep dive into the payload using dnSpy reveals a critical flaw in the malware&#8217;s design. The configuration is encrypted using AES, but the implementation is weak.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Key derivation:<\/strong> The AES key is generated by taking the MD5 hash of the Mutex string.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Mode&nbsp;of&nbsp;operation:<\/strong>&nbsp;It uses AES-ECB (Electronic&nbsp;Codebook)&nbsp;mode.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"689\" height=\"354\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig13_dnSpy_Crypto.png\" alt=\"dnSpy Crypto\" class=\"wp-image-18539\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig13_dnSpy_Crypto.png 689w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig13_dnSpy_Crypto-300x154.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig13_dnSpy_Crypto-370x190.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig13_dnSpy_Crypto-270x139.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Fig13_dnSpy_Crypto-585x300.png 585w\" sizes=\"(max-width: 689px) 100vw, 689px\" \/><figcaption class=\"wp-element-caption\"><em>The&nbsp;encryption&nbsp;key&nbsp;is&nbsp;derived&nbsp;directly&nbsp;from&nbsp;the&nbsp;Mutex&nbsp;string&nbsp;using&nbsp;MD5<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Because the Mutex is hardcoded in the binary (or passed via arguments), the encryption is deterministic. This allows us to decrypt the configuration offline without needing to run the malware.<\/p>\n\n\n\n<p><strong>Decrypted&nbsp;configuration:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>C2 Server:<\/strong>&nbsp;jholycf100.ddns.com.br (152.249.17.145)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Port:<\/strong>&nbsp;7000&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Mutex:<\/strong>&nbsp;V2r1vDNFXE1YLWoA&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Splitter:<\/strong>&nbsp;&lt;Xwormmm&gt; (A&nbsp;unique&nbsp;fingerprint&nbsp;for&nbsp;XWorm)&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Behavioral&nbsp;Confirmation&nbsp;(Dynamic&nbsp;Analysis)&nbsp;<\/h3>\n\n\n\n<p>The static findings are fully corroborated by the runtime behavior observed in <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=xworm-latam-campaign&amp;utm_term=170226&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Mutex Creation<\/strong>: The sandbox logs show the creation of the mutex V2r1vDNFXE1YLWoA, confirming the exact seed used for our decryption.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>C2 Traffic<\/strong>: The process CasPol.exe&nbsp;initiates&nbsp;a TCP connection to jholycf100.ddns.com.br on port 7000.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Protocol<\/strong>: The traffic stream&nbsp;contains&nbsp;the &lt;Xwormmm&gt; delimiter, matching the decrypted configuration.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"573\" height=\"671\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Network-stream.png\" alt=\"\" class=\"wp-image-18549\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Network-stream.png 573w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Network-stream-256x300.png 256w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Network-stream-370x433.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Network-stream-270x316.png 270w\" sizes=\"(max-width: 573px) 100vw, 573px\" \/><figcaption class=\"wp-element-caption\"><em>Network&nbsp;traffic&nbsp;confirms&nbsp;the&nbsp;C2&nbsp;destination&nbsp;and&nbsp;the&nbsp;custom&nbsp;XWorm&nbsp;protocol&nbsp;delimiter<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Business&nbsp;Impact:&nbsp;What&nbsp;This&nbsp;Means&nbsp;for&nbsp;Companies&nbsp;<\/h2>\n\n\n\n<p>This isn\u2019t \u201cjust another XWorm.\u201d The risk comes from how reliably the chain can reach corporate endpoints and how quietly it can stay there. A fake receipt is the kind of lure that fits normal finance and ops workflows, and the delivery stack (WMI-spawned PowerShell, cloud-hosted content, fileless loading, and task-based persistence via .NET APIs) is built to reduce the early signals many teams depend on.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Credential and session theft \u2192 downstream compromise:<\/strong> Once a workstation is controlled, attackers can harvest browser sessions and credentials and pivot into email, SaaS, and finance tooling, turning a single click into an identity-driven incident.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Higher blast radius, faster:<\/strong> With persistence in place, the operator can take time, map the environment, and expand access, raising the likelihood of lateral movement and follow-on payloads.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cost of delayed detection:<\/strong> \u201cLower-noise\u201d tradecraft tends to inflate MTTR because the initial event looks benign (image download, PowerShell in the background, no obvious dropped binary), while real impact surfaces later.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Operational risk, not just endpoint risk:<\/strong> The outcomes aren\u2019t limited to one infected machine. The realistic worst cases are business email compromise, fraudulent payments, data access, or ransomware staging, each with direct financial and reputational consequences.<\/li>\n<\/ul>\n\n\n\n<p>The takeaway is simple: this kind of campaign rewards <strong>fast, evidence-based validation<\/strong> at the first suspicious touchpoint (script\/PowerShell execution + abnormal cloud-hosted \u201cimage\u201d responses) and <strong>strict monitoring of LOLBIN abuse<\/strong> (e.g., CasPol.exe producing outbound traffic). Catching it early is what keeps a workstation event from becoming a business threat.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to Set Up Early Detection of&nbsp;XWorm&nbsp;Attacks&nbsp;<\/h2>\n\n\n\n<p>Early detection of&nbsp;XWorm&nbsp;usually depends on how well the&nbsp;<strong>SOC operational cycle<\/strong>&nbsp;is working day to day. When monitoring, triage, and threat hunting are tightly connected, commodity RAT activity is far more likely to be&nbsp;contained&nbsp;before it turns into&nbsp;a real business&nbsp;incident.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Monitoring:&nbsp;Strengthen&nbsp;Visibility with TI Feeds&nbsp;<\/h3>\n\n\n\n<p>The first signal often appears in external infrastructure or newly observed indicators.&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=xworm-latam-campaign&amp;utm_term=170226&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s&nbsp;TI Feeds<\/a>&nbsp;help by continuously surfacing fresh&nbsp;XWorm-related domains, hashes, and&nbsp;behavioral&nbsp;patterns,&nbsp;based on telemetry and submissions coming from&nbsp;<strong>15,000+ organizations and 600,000+ security professionals<\/strong>.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"435\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-1024x435.png\" alt=\"100% actionable IOCs delivered by TI Feeds\" class=\"wp-image-18550\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-1024x435.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-300x127.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-768x326.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-1536x652.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-2048x870.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-370x157.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-270x115.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-740x314.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>100% actionable IOCs delivered by TI Feeds to your existing stack<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This makes it easier to spot suspicious activity earlier and push relevant IOCs directly into SIEM or EDR controls.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">99% unique\n<\/span> threat intel for your SOC<br>Catch attacks early to <span class=\"highlight\"> protect your business<\/span> \n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=xworm-latam-campaign&#038;utm_term=170226&#038;utm_content=linktotifeedslanding#contact-sales\" rel=\"noopener\" target=\"_blank\">\nIntegrate TI Feeds\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">2. Triage:&nbsp;Enrich and&nbsp;Validate&nbsp;Alerts&nbsp;in&nbsp;Minutes&nbsp;<\/h3>\n\n\n\n<p>Once an alert or suspicious artifact appears, speed becomes critical.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=xworm-latam-campaign&amp;utm_term=170226&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>&nbsp;provides immediate enrichment, showing reputation, related samples, network relationships, and historical context around a file, hash, or domain.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=xworm-latam-campaign&amp;utm_term=170226&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive sandbox analysis<\/a>&nbsp;allows teams to safely execute suspicious files or URLs and&nbsp;observe&nbsp;real runtime&nbsp;behavior, confirming&nbsp;XWorm&nbsp;activity within minutes rather than hours.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"568\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sandbox-1024x568.png\" alt=\"\" class=\"wp-image-18558\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sandbox-1024x568.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sandbox-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sandbox-768x426.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sandbox-1536x852.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sandbox-2048x1136.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sandbox-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sandbox-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sandbox-740x411.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN&#8217;s sandbox revealing full attack chains in just 1 minute<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Fast, evidence-based triage reduces uncertainty and prevents unnecessary escalation while still catching real threats early.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Threat&nbsp;Hunting:&nbsp;Track&nbsp;Active&nbsp;Regional&nbsp;Campaigns&nbsp;<\/h3>\n\n\n\n<p>The next step in the cycle is proactive visibility. Using structured TI Lookup queries such as:&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=worm-latam-campaign&amp;utm_term=170226&amp;utm_content=linktotilookup#{%22query%22:%22threatName:%5C%22xworm%5C%22%20AND%20submissionCountry:%5C%22br%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;xworm&#8221; AND submissionCountry:&#8221;br&#8221;<\/a>&nbsp;SOC teams can surface the latest&nbsp;XWorm&nbsp;samples&nbsp;observedin Brazil, review delivery techniques, and pivot into related infrastructure.&nbsp;This makes detection logic more relevant to the&nbsp;<strong>current regional threat landscape<\/strong>, not just historical global data.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"590\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/xworm-analyses-1024x590.png\" alt=\"\" class=\"wp-image-18559\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/xworm-analyses-1024x590.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/xworm-analyses-300x173.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/xworm-analyses-768x443.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/xworm-analyses-1536x886.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/xworm-analyses-2048x1181.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/xworm-analyses-370x213.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/xworm-analyses-270x156.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/xworm-analyses-740x427.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup shows analysis sessions related to&nbsp;XWorm&nbsp;attacks&nbsp;observed&nbsp;in Brazil<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>When these three motions&nbsp;operate&nbsp;as a continuous cycle rather than isolated tasks,&nbsp;XWorm&nbsp;shifts from a late discovery to an&nbsp;<strong>early, manageable security event,&nbsp;<\/strong>reducing response time, investigation cost, and overall business risk.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>This campaign highlights a clear trend in LATAM-focused malware: pairing high-volume delivery vectors with established commodity RATs. While the XWorm payload itself relies on relatively basic cryptography (AES-ECB), the overall delivery chain is built for resilience.<\/p>\n\n\n\n<p>By combining HTML\/LNK delivery, Cloudinary abuse, steganography, and modular persistence (via .NET Task Scheduler APIs), the attackers have created a lower-noise infection chain that can bypass superficial defenses.<\/p>\n\n\n\n<p>For&nbsp;defenders,&nbsp;detection&nbsp;opportunities&nbsp;exist&nbsp;at&nbsp;multiple&nbsp;stages:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Delivery:<\/strong>&nbsp;Monitor for LNK\/JS files&nbsp;spawning&nbsp;PowerShell.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Network:<\/strong> Flag traffic to image hosting services (Cloudinary) where responses contain non-image headers or BaseStart markers.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Endpoint:<\/strong>&nbsp;Alert&nbsp;on&nbsp;CasPol.exe&nbsp;initiating&nbsp;outbound network connections.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">About&nbsp;ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=xworm-latam-campaign&amp;utm_term=170226&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>, a leading provider of interactive malware analysis and threat intelligence solutions, fits naturally into modern SOC workflows, strengthening the day-to-day operational cycle across Tier 1, Tier 2, and Tier 3.<\/p>\n\n\n\n<p>It supports every step of an investigation, from safely detonating suspicious files and links to see real behavior, to enriching indicators with broader context, to delivering fresh intelligence that helps teams act faster and with fewer blind spots.<\/p>\n\n\n\n<p>Today, more&nbsp;than&nbsp;600,000&nbsp;security&nbsp;professionals&nbsp;across&nbsp;15,000+&nbsp;organizations&nbsp;use ANY.RUN&nbsp;to&nbsp;speed&nbsp;up&nbsp;triage,&nbsp;cut&nbsp;unnecessary&nbsp;escalations,&nbsp;and&nbsp;keep&nbsp;pace&nbsp;with&nbsp;fast-moving&nbsp;phishing&nbsp;and&nbsp;malware&nbsp;campaigns.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=xworm-latam-campaign&amp;utm_term=170226&amp;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Bring&nbsp;speed&nbsp;and&nbsp;clarity&nbsp;to&nbsp;your&nbsp;SOC&nbsp;with&nbsp;ANY.RUN<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Appendix:&nbsp;Indicators&nbsp;of&nbsp;Compromise&nbsp;(IOCs)&nbsp;<\/h2>\n\n\n\n<p><strong>Network&nbsp;Indicators<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>C2 Domain:<\/strong>&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=worm-latam-campaign&amp;utm_term=170226&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522(domainName:%255C%2522jholycf100.ddns.com.br%255C%2522%2520OR%2520url:%255C%2522*jholycf100.ddns.com.br*%255C%2522)%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">jholycf100[.]ddns[.]com[.]br<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>C2 IP:<\/strong>&nbsp;<strong>152[.]249[.]17[.]145<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Port:<\/strong>&nbsp;7000&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Payload&nbsp;URL 1 (Stego&nbsp;Loader):<\/strong>&nbsp;res[.]cloudinary[.]com\/&#8230;\/optimized_MSI_lpsd9p.jpg&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Payload&nbsp;URL 2 (XWorm):<\/strong>&nbsp;voulerlivros[.]com[.]br\/arquivo_20260116064120.txt&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Host-Based&nbsp;Indicators<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Mutex:<\/strong>&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=worm-latam-campaign&amp;utm_term=170226&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522syncObjectName:%255C%2522V2r1vDNFXE1YLWoA%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">V2r1vDNFXE1YLWoA<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>File Path:<\/strong>&nbsp;C:\\Users\\Public\\Downloads\\&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Target&nbsp;Process:<\/strong>&nbsp;CasPol.exe&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>File&nbsp;hash:&nbsp;<\/strong>7befeacf0b3480fb675d0cab7767b5b9697edc9d0e05982025a06ead0054afd5&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Powershell:&nbsp;<\/strong>Assembly.Load&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Detection&nbsp;Oportunities&nbsp;&#8211; YARA&nbsp;Rules<\/strong>&nbsp;<\/p>\n\n\n\n<p><strong>YARA &#8211; Javascript&nbsp;Dropper:<\/strong>&nbsp;<\/p>\n\n\n\n<p>This rule is designed as a <strong>medium-to-high confidence hunting rule<\/strong>, prioritizing behavioral and structural indicators rather than brittle IOCs..<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rule&nbsp;JS_WSH_Unicode_Padded_Dropper&nbsp;\n\n&nbsp;&nbsp;&nbsp; meta:&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;description&nbsp;= \"WSH&nbsp;JavaScript&nbsp;dropper&nbsp;with&nbsp;Unicode&nbsp;padding&nbsp;and&nbsp;repeated&nbsp;assignment&nbsp;patterns\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;author&nbsp;= \"0xOlympus\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;confidence&nbsp;= \"medium-high\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;strings:&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $assign&nbsp;= \"this.\"&nbsp;ascii&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $pad&nbsp;= {&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 74 68 69 73 2E 76 61 74 66 75 6C 20 2B 3D 20 22&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; E0 B2 92 E2 9C 96 C8 B7&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $wsh&nbsp;= \"Scripting.FileSystemObject\"&nbsp;ascii&nbsp;nocase&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;condition:&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/*&nbsp;Exclude&nbsp;PE files *\/&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; uint16(0) != 0x5A4D&nbsp;and&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/* Script-sized&nbsp;payloads&nbsp;(not&nbsp;tiny&nbsp;JS&nbsp;snippets) *\/&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;filesize&nbsp;&gt; 1000KB&nbsp;and&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/* Must&nbsp;be&nbsp;WSH-based&nbsp;*\/&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $wsh&nbsp;and&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/*&nbsp;Obfuscation&nbsp;indicators&nbsp;*\/&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $pad&nbsp;or&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $assign&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; )&nbsp;\n\n}<\/code><\/pre>\n\n\n\n<p><strong>Key&nbsp;detection&nbsp;components:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Non-PE&nbsp;filtering<\/strong>&nbsp;<br>The&nbsp;check&nbsp;uint16(0) != 0x5A4D&nbsp;ensures&nbsp;that&nbsp;only&nbsp;script-based&nbsp;files are&nbsp;evaluated,&nbsp;preventing&nbsp;false positives&nbsp;on&nbsp;executable&nbsp;payloads.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>File&nbsp;size&nbsp;heuristic<\/strong>&nbsp;<br>The&nbsp;condition&nbsp;filesize&nbsp;&gt; 1000KB&nbsp;targets scripts&nbsp;that&nbsp;abuse&nbsp;<strong>entropy&nbsp;padding<\/strong>.&nbsp;Legitimate&nbsp;JavaScript&nbsp;files are&nbsp;rarely&nbsp;this&nbsp;large,&nbsp;especially&nbsp;when&nbsp;used&nbsp;as WSH&nbsp;droppers.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>YARA &#8211;&nbsp;Xworm&nbsp;5.6&nbsp;Payload:<\/strong>&nbsp;<\/p>\n\n\n\n<p>This&nbsp;rule&nbsp;targets&nbsp;the&nbsp;final&nbsp;XWorm&nbsp;RAT&nbsp;binary,&nbsp;using&nbsp;protocol&nbsp;and&nbsp;cryptographic&nbsp;fingerprints&nbsp;that&nbsp;are&nbsp;stable&nbsp;across&nbsp;XWorm&nbsp;versions.&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rule&nbsp;XWorm_PE_v56&nbsp;\n\n{&nbsp;\n\n&nbsp;&nbsp;&nbsp; meta:&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;description&nbsp;= \"XWorm&nbsp;RAT v5.6 .NET&nbsp;payload\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;author&nbsp;= \"0xOlympus\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;family&nbsp;= \"XWorm\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;version&nbsp;= \"5.6\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;confidence&nbsp;= \"very&nbsp;high\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;strings:&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/&nbsp;Protocol&nbsp;splitter&nbsp;(strong&nbsp;family&nbsp;fingerprint)&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $splitter&nbsp;= \"&lt;Xwormmm&gt;\"&nbsp;ascii&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/&nbsp;Cryptographic&nbsp;implementation&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $crypto1 = \"RijndaelManaged\"&nbsp;ascii&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $crypto2 = \"MD5CryptoServiceProvider\"&nbsp;ascii&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $crypto3 = \"CipherMode.ECB\"&nbsp;ascii&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/ Network&nbsp;functionality&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $net1 = \"System.Net.Sockets\"&nbsp;ascii&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $net2 = \"NetworkStream\"&nbsp;ascii&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;condition:&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; uint16(0) == 0x5A4D&nbsp;and&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;filesize&nbsp;&lt; 5MB&nbsp;and&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $splitter&nbsp;and&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2&nbsp;of&nbsp;($crypto*)&nbsp;and&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;of&nbsp;($net*)&nbsp;\n\n}<\/code><\/pre>\n\n\n\n<p>Note: The &lt;Xwormmm&gt; splitter combined with AES-ECB + MD5 key derivation provides a near-unique signature for XWorm, resulting in very low false-positive risk.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note:&nbsp;The current article is authored by Moises Cerqueira, malware researcher and threat hunter. You can find Moises on LinkedIn. Malware campaigns targeting Latin America (LATAM) are evolving. While the final payloads, often commodity RATs like&nbsp;XWorm,&nbsp;remain consistent, delivery mechanisms are becoming increasingly sophisticated to bypass region-specific&nbsp;defenses&nbsp;and increase the chance of reaching&nbsp;real business&nbsp;users.&nbsp; In this analysis, [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":18590,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-18515","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How XWorm Targets LATAM Businesses: Full Technical Analysis<\/title>\n<meta name=\"description\" content=\"Technical and business breakdown of a multi-stage XWorm attack in LATAM, and early detection strategies for SOC teams.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Moises Cerqueira (0xOlympus)\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/\"},\"author\":{\"name\":\"Moises Cerqueira (0xOlympus)\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"LATAM Businesses Hit by\u00a0XWorm\u00a0via Fake Financial Receipts: Full Campaign Analysis\u00a0\",\"datePublished\":\"2026-02-17T11:09:32+00:00\",\"dateModified\":\"2026-02-26T09:39:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/\"},\"wordCount\":3503,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/\",\"name\":\"How XWorm Targets LATAM Businesses: Full Technical Analysis\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2026-02-17T11:09:32+00:00\",\"dateModified\":\"2026-02-26T09:39:30+00:00\",\"description\":\"Technical and business breakdown of a multi-stage XWorm attack in LATAM, and early detection strategies for SOC teams.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"LATAM Businesses Hit by\u00a0XWorm\u00a0via Fake Financial Receipts: Full Campaign Analysis\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Moises Cerqueira (0xOlympus)\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moises.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moises.jpg\",\"caption\":\"Moises Cerqueira (0xOlympus)\"},\"description\":\"Malware Researcher & Threat Hunter with a strong background in Blue Team operations. Specialized in malware analysis and reverse engineering, with hands-on experience dissecting binaries and reconstructing attacker TTPs from initial delivery to command-and-control communication. Driven by a deep interest in adversary tradecraft, bridging low-level technical analysis with strategic threat intelligence and detection engineering. Follow Moises on: LinkedIn X Website\",\"sameAs\":[\"https:\/\/0xdelta.org\/\"],\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How XWorm Targets LATAM Businesses: Full Technical Analysis","description":"Technical and business breakdown of a multi-stage XWorm attack in LATAM, and early detection strategies for SOC teams.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/","twitter_misc":{"Written by":"Moises Cerqueira (0xOlympus)","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/"},"author":{"name":"Moises Cerqueira (0xOlympus)","@id":"https:\/\/any.run\/"},"headline":"LATAM Businesses Hit by\u00a0XWorm\u00a0via Fake Financial Receipts: Full Campaign Analysis\u00a0","datePublished":"2026-02-17T11:09:32+00:00","dateModified":"2026-02-26T09:39:30+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/"},"wordCount":3503,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/","url":"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/","name":"How XWorm Targets LATAM Businesses: Full Technical Analysis","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-02-17T11:09:32+00:00","dateModified":"2026-02-26T09:39:30+00:00","description":"Technical and business breakdown of a multi-stage XWorm attack in LATAM, and early detection strategies for SOC teams.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"LATAM Businesses Hit by\u00a0XWorm\u00a0via Fake Financial Receipts: Full Campaign Analysis\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Moises Cerqueira (0xOlympus)","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moises.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moises.jpg","caption":"Moises Cerqueira (0xOlympus)"},"description":"Malware Researcher & Threat Hunter with a strong background in Blue Team operations. Specialized in malware analysis and reverse engineering, with hands-on experience dissecting binaries and reconstructing attacker TTPs from initial delivery to command-and-control communication. Driven by a deep interest in adversary tradecraft, bridging low-level technical analysis with strategic threat intelligence and detection engineering. Follow Moises on: LinkedIn X Website","sameAs":["https:\/\/0xdelta.org\/"],"url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/18515"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=18515"}],"version-history":[{"count":40,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/18515\/revisions"}],"predecessor-version":[{"id":18847,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/18515\/revisions\/18847"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/18590"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=18515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=18515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=18515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}