Abusing Paste.ee to Deploy XWorm and AsyncRAT Across Global C2 Infrastructure

SUMMARY :

A sophisticated malware campaign has been discovered utilizing paste.ee to distribute XWorm and AsyncRAT. The attackers employ obfuscated JavaScript with Unicode characters to download and execute malicious code from paste.ee URLs. The infrastructure includes multiple C2 servers across Europe and the US, using specific ports and SSL certificates. XWorm, a stealthy RAT, captures keystrokes, exfiltrates data, and maintains persistent remote access. AsyncRAT, an open-source trojan, is also part of the campaign. The attackers use a network of IP addresses and domains, with some hosted by QuadraNet Enterprises LLC and dataforest GmbH. Defenders are advised to block identified domains, monitor suspicious connections, and update security software to detect unusual behavior.

OPENCTI LABELS :

remote access trojan,xworm,obfuscation,asyncrat,remcosrat,c2 infrastructure,paste.ee,ssl certificates


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Abusing Paste.ee to Deploy XWorm and AsyncRAT Across Global C2 Infrastructure