A Deceptive AI Lure Is Hiding ScreenConnect & XWorm RAT to Hijack Your PC

The SpiderLabs Threat Hunt Team at Trustwave has discovered a malicious campaign abusing AI-themed branding to trick users into downloading a pre-configured version of the remote management tool ScreenConnect, which concealed a multi-stage infection chain ultimately delivering the XWorm Remote Access Trojan (RAT).

Attackers crafted convincing fake AI-related websites to distribute the malware. According to the report, “the Trustwave SpiderLabs Threat Hunt team identified a deceptive campaign that abused fake AI-themed content to lure users into executing a malicious, pre-configured ScreenConnect installer.”

Examples included domains like gtpgrok[.]ai and anhemvn6[.]com, which served malicious installers disguised as video files such as “Creation_Made_By_GrokAI.mp4 Grok.com”. In reality, these were renamed ScreenConnect.ClientSetup.msi executables.

Once executed, the installer dropped a legitimate ScreenConnect binary but with manipulated Authenticode signatures embedding malicious configurations. The researchers observed that this technique “allowed the attacker to modify the behavior of the application without invalidating its digital signature.”

This pre-configured client ran invisibly, connecting to attacker-controlled servers and creating a hidden remote access session without user awareness.

After establishing persistence, the attackers deployed additional payloads:

• A batch file named X-META Firebase_crypted.bat, which triggered malicious commands.
• Download of a zip archive 5btc.zip from attacker domains.
• Execution of a renamed pythonw.exe (pw.exe) running obfuscated Base64-encoded commands.

These commands pulled Python code from a GitHub repository, enabling fileless execution to bypass static defenses. Trustwave noted: “With this fileless execution, threat actors likely aimed to evade static detection mechanisms.”

Ultimately, the payload performed process injection into Chrome and Edge browsers using process hollowing, while running on a hidden desktop to avoid user detection.

The malware also implemented persistence by adding a registry run key under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, disguised as Windows Security. This caused the execution of a malicious backup.bat file on every login.

Credential theft was a major goal. Analysts observed attempts to harvest sensitive browser data, including:

• Chrome and Edge login databases.
• Firefox key and login files (key4.db and logins.json).

WMI queries were also executed to gather details on the host OS and installed antivirus products.

The final payloads tied the campaign to XWorm, a malware-as-a-service RAT known for persistence, credential theft, and remote control. The team discovered that “files from the GitHub repository contained multiple execution layers… attributed to a commonly known yet still evolving malware-as-a-service RAT — XWorm.”

An extracted command-and-control IP (5[.]181[.]165[.]102:7705) had not yet been flagged by VirusTotal at the time of analysis, indicating the freshness of the campaign.

This campaign demonstrates how cybercriminals are exploiting the public fascination with AI to make their lures more convincing, while repurposing legitimate tools like ScreenConnect to evade suspicion. As the report concludes: “Sophisticated adversaries are increasingly designing campaigns to slip past automated defenses, making expert-driven threat hunting more essential than ever.”

Related Posts:

• XWorm’s Shape-Shifting Arsenal: RAT Evolves to Deliver LockBit Ransomware, Evades Detection
• Over 18,000 Devices Compromised in XWorm RAT Builder Campaign
• XWorm 6.0: New Variant Uses AMSI Bypass & Critical Process Trick to Evade Detection and Crash Systems
• XWorm Unveils Stealthier Techniques in Latest Malware Evolution
• ScreenConnect Abuse: Hackers Leverage Remote Access Tool for Healthcare Intrusion