Monday 06 July 2026 09:41:02 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Security Awareness & Social Engineering

Legacy Loophole: How Old Office Flaws Fuel the XWorm RAT Surge

Published: 16 February 2026 11:36Category: Security Awareness & Social EngineeringAuthor: CRYSTALPROXY

Subtitle: A new phishing campaign exploits an ancient Microsoft vulnerability to unleash a stealthy remote access trojan on businesses worldwide.

It begins with a routine email: a purchase order, a payment confirmation, a shipment notice-nothing out of the ordinary. But buried within the attached Excel file is a digital time bomb, detonated by a vulnerability most thought was long buried. As organizations continue to rely on legacy software, attackers are resurrecting old ghosts, and XWorm, a potent remote access trojan, is the latest to slip in through these forgotten cracks.

Old Vulnerabilities, New Threats

The latest XWorm campaign is a masterclass in cybercriminal persistence. Security researchers have traced a wave of phishing emails-crafted in multiple languages and tailored to business environments-which coax recipients into opening a seemingly innocent Excel add-in. This single click unleashes a sophisticated attack chain that weaponizes an outdated Microsoft Office component: the Equation Editor, vulnerable via CVE-2018-0802.

When the malicious file is opened, a hidden Object Linking and Embedding (OLE) component kicks in, exploiting the flaw to execute embedded shellcode. This triggers the download of an HTML Application (HTA) file, which in turn launches a PowerShell script. The script fetches a disguised image from the internet, but hidden within the image is a Base64-encoded .NET malware module. Rather than writing files to the disk-a classic red flag for security tools-the malware loads directly into memory, evading traditional detection.

The final payload, XWorm version 7.2, is injected into a legitimate Windows process (Msbuild.exe) using process hollowing. This clever sleight of hand allows the RAT to operate under the radar, masquerading as trusted software while executing malicious commands.

A Hacker’s Swiss Army Knife

Once inside, XWorm connects to its command-and-control server, encrypting communications and relaying system information (usernames, OS, hardware, antivirus status) back to its operators. The RAT’s capabilities are extensive: attackers can steal files, log keystrokes, record audio and video, manipulate system processes, and even unleash ransomware or launch DDoS attacks at will. Its plugin-based architecture-more than 50 modules strong-means that a single infection can be customized for espionage, extortion, or sabotage.

Security experts warn that this campaign is only the latest reminder of the dangers posed by unpatched legacy software. Despite years of warnings, many organizations still run vulnerable Office components, providing an open door for attackers like those wielding XWorm.

Conclusion

The XWorm surge is a stark wake-up call: in cybersecurity, yesterday’s flaws are tomorrow’s disasters. As attackers continue to exploit the weakest links-often hiding in plain sight-only a relentless focus on patching, vigilance, and cyber hygiene can keep the ghosts of old code at bay.

WIKICROOK

  • Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
  • Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
  • Object Linking and Embedding (OLE): OLE lets users embed or link content from different applications into documents, but it can also be abused for cyberattacks through malicious embedded objects.
  • Process Hollowing: Process hollowing is a technique where malware hides in a legitimate program’s memory, allowing it to evade detection and execute malicious actions.
  • Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.