A Ghost in the Spreadsheet: How XWorm RAT Hides in Plain Sight

Attackers are doubling down on stealth, and Forcepoint X Labs researchers have traced a recent campaign that shows just how invisible Remote Access Trojans can be when paired with shellcode and reflective loading.

The lure is old, the tactics are new

It starts with the oldest trick in the book: a phishing email carrying what looks like a routine invoice. The attachment, an Excel add-in (.xlam), unzips to reveal an embedded OLE object. Hidden inside is encrypted shellcode—precisely the kind of payload that can slide past cursory scans of office documents.

Once decoded, the shellcode resolves key Windows APIs like GetProcAddress and UrlMon, then calls UrlDownloadToFile to quietly fetch the next stage: a .NET executable named UXO.exe. Instead of planting itself on disk where defenders might spot it, the malware uses LoadLibraryW to execute directly in memory.

A cascade of reflective loading

UXO.exe is no ordinary binary. Forcepoint’s analysis shows it pulling additional components from its resources using System.Drawing routines, a common sleight-of-hand in .NET malware. First comes CreativeAI.dll, which is reflectively injected, followed by another payload, DriverFixPro.dll. Each stage is obfuscated, encrypted, and memory-resident, making analysis difficult and signature-based defenses nearly useless.

The final reveal comes through memory dumps: strings pointing to “UD_XWormClient 6.5,” linking the campaign to the XWorm malware family. From there, the RAT establishes a connection to command-and-control infrastructure at berlin101[.]com, exfiltrating sensitive data while maintaining persistence via process injection.

Why it matters

The technical tricks aren’t groundbreaking on their own -- encrypted OLE streams, GetEIP shellcode, reflective DLL injection -- but together they form a chain that keeps attackers hidden for long stretches. It’s the definition of “fileless” malware, designed to operate quietly and frustrate defenders who rely on traditional detection methods.

For enterprises, this underscores a simple but urgent reality: stopping a threat like XWorm isn’t about spotting a malicious file, it’s about correlating behaviors across email, memory, and the network. Without visibility into runtime anomalies and outbound C2 traffic, campaigns like this can persist unnoticed.

The bigger picture

Forcepoint’s research highlights a trend security teams can’t afford to ignore. Remote Access Trojans aren’t going away, they’re just getting better at erasing their footprints. “Attackers are investing in stealthy delivery chains that maximize dwell time and minimize forensic evidence,” the report concludes. In practice, that means the defense playbook must adapt. Email filters, EDRs tuned for memory anomalies, and proactive threat intel blocking C2 domains are all part of the new baseline.

The invoice scam may look ordinary, but the malware it conceals is anything but.