Multi-Stage PyInstaller Loader Weaponizes AMSI Patching to Deploy XWorm RAT

A comprehensive deep dive by the research team at Point Wild has laid bare the internal mechanics of a sophisticated malware delivery framework active in the wild. Posing a severe threat to Windows environments, the newly analyzed multi-stage infrastructure utilizes layered obfuscation and advanced defense evasion specifically engineered to slip behind enterprise defenses unnoticed.

The technical breakdown provides an intimate look at how modern authors repackage known threats to maximize their lifespan and bypass traditional endpoint inspection. The researcher analyzes a suspicious PyInstaller-packed Python sample and identified it as a multi-stage malware loader designed to deploy the XWorm Remote Access Trojan (RAT), specifically associated with the XWorm V7.4 campaign.

The attack begins with a compiled executable generated from a Python application via a modified PyInstaller stub. This packaging route is a favorite among modern operators because it effectively inflates the file size and alters classic static structural signatures, tripping up basic screening mechanisms.

Once executed, the binary extracts multiple runtime components, including a compiled Python bytecode file featuring a highly randomized nomenclature (BA4Q6ACPMNrd980FwZn9iEbEqkjvRmw7FhW.pyc) designed to impede quick manual assessment. According to Point Wild, the loader’s first operational priority is to Blindside local endpoint response capabilities before handling its main cargo:

“The malware demonstrated advanced defense-evasion behavior by performing in-memory patching of AmsiScan Buffer to weaken Microsoft AMSI-based inspection and reduce AV/EDR visibility prior to payload deployment.”

By dynamically rebuilding sensitive API names through a custom character-shifting algorithm (e.g., subtracting integers from character values) and resolving them on the fly via GetProcAddress, the malware avoids revealing standard text string markers to static signature scanners. It changes memory permissions on the target system layout using VirtualProtect before dropping a precise six-byte array directly over the live scanning buffer, neutralizing the local scanning pipeline.

With the anti-malware safety nets deactivated, the script begins an extensive in-memory reconstruction routine. It extracts a heavily obfuscated blob, processes it using Base64 decoding, and feeds the resulting stream into a complex transformation loop driven by a SHA-512 derived key. This layer incorporates rolling state calculations, modular arithmetic, and byte rotation logic to ensure the ultimate payload remains encrypted until the exact millisecond of deployment.

The resulting byte stream is subsequently inflated via standard zlib decompression. To further complicate security posture management, the loader injects a randomized string of junk data at the end of the binary. This intentional modification shifts the overall cryptographic file hash across distinct installations, successfully breaking downstream blocklists and hash-based detections.

The loader avoids obvious drop locations, staging the payload into a standard user-accessible storage path:

“Further analysis confirmed that the loader decrypts and decompresses an embedded executable payload directly from the Python package, writes the payload into the %LOCALAPPDATA% directory, modifies file attributes to Hidden and System for stealth and executes the payload silently in detached mode without displaying a visible console window.”

The payload drops under a convincing guise, Win_Kernel_Svc_AJ8iOX.exe, mimicking native operating system naming styles to evade superficial review. By issuing a call to SetFileAttributesW with a constant mask value of 8198, the malware hides the dropped file from routine system directory views. Finally, subprocess.Popen launches the asset using explicit execution flags that suppress any console window popping up on the screen.

The deployed payload is an enterprise-grade threat. Upon execution, it profiles the system, assembling user data, processing environment variables, privilege statuses, webcam availability, and anti-virus states via WMI queries to generate a unique Hardware Identifier (HWID). This info is bundled and pushed out to the primary Command and Control (C2) node located at tcp://68.219.64.89:4444 using AES-ECB encrypted communication.

The dispatcher code handles structured inbound instructions, granting operators the power to launch modular post-compromise capabilities. These include remote script fetching, fileless in-memory execution via reflection, shell access, system power controls, and a threaded botnet engine capable of turning infected hosts into nodes for distributed denial-of-service (DDoS) campaigns.