Hackers Abuse Script Files to Deliver Xctdoor Back
A new wave of cyberattacks is exploiting corporate employees, leveraging malicious files meticulously disguised as legitimate job documents. Hackers are distributing malicious LNK files disguised as...
A new wave of cyberattacks is exploiting corporate employees, leveraging malicious files meticulously disguised as legitimate job documents.
Hackers are distributing malicious LNK files disguised as resumes, and the moment a victim opens one, the infection quietly begins.
The attack is sophisticated enough to fool cautious users, since the file shows a believable resume while running harmful scripts silently in the background.
What makes this campaign especially dangerous is how it abuses everyday Windows scripting tools. The attackers use PowerShell, VBScript, and BAT files working together to plant and activate a backdoor known as Xctdoor.
This malware gives attackers ongoing access to a compromised machine while staying under the radar of standard security defenses.
Researchers at ASEC, the security intelligence division of AhnLab, identified and analyzed this attack chain in detail.
AccordingASEC report shared with Cyber Security News (CSN), the threat uses a layered execution approach that creates multiple script files with random names in a public system directory, making it harder for defenders to spot.
ASEC noted this infection flow is more difficult to detect than a straightforward malware execution because it blends disguised elements with legitimate system behavior.
The attack is particularly effective against departments that regularly open external documents, such as recruitment, sales, and customer support teams.
Since resumes are a routine part of daily workflows, the risk of a user opening the malicious file without suspicion is very real. Security teams in organizations that handle high document volumes face a genuine challenge catching this threat early.
The Xctdoor backdoor belongs to a malware family built for long-term access to infected machines. Once deployed, it communicates with an external command and control server, allowing attackers to run actions remotely at any time.
Its persistence mechanisms ensure the malware survives system reboots, keeping the attacker’s access open even after a machine restarts.
Hackers Abuse PowerShell, VBScript, and BAT Files
When a victim runs the malicious LNK file, a chain reaction begins in the background immediately.
The file drops batch files (.bat), PowerShell scripts (.ps1), and VBScript files (.vbs) with randomly generated names into the C:UsersPublicVideos directory.
These scripts register a Task Scheduler entry named “Office365” that runs a VBScript file every ten minutes, keeping the malware continuously active.
The PowerShell script downloads additional files from an external server using the curl command. Some files are Base64-encoded and, once decoded, are saved as additional PowerShell scripts in the C:UsersPublicPictures path.
A follow-up script named p2.ps1 creates a startup shortcut and decrypts the downloaded files to produce an executable, a DLL file, and supporting data files.
The legitimate program ProximityUxHost.exe is then launched, and through DLL Side-Loading, the malicious ProximityCommon.dll loads alongside it.
This technique allows attackers to run harmful code while making everything appear normal to the system. Analysis confirmed that settings.dat, a backdoor from the Xctdoor family, is injected into the legitimate process once the DLL loads.
DLL Side-Loading and the Xctdoor Backdoor
DLL Side-Loading places a malicious DLL in the same folder as a trusted application, causing the real program to load the harmful file without knowing.
In this case, Xctdoor rides into a trusted process without triggering obvious security alerts. Once active, it connects to an external C2 server, handing the threat actor live access within the victim’s environment.
This multi-stage attack is difficult to detect because it combines multiple disguise layers, including fake documents, task names that mimic real services, and scheduled scripts that blend into normal activity.
Security teams must regularly check the Task Scheduler for suspicious entries, especially anything named to look like a known business service, and remove them right away.
ASEC advises users to always verify the actual file extension and origin of documents from unknown sources before opening.
Known malicious files should be removed from the C:UsersPublicAppData path if discovered during a system check. Staying current with threat intelligence updates is key to catching related indicators quickly.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File Name | Malicious LNK file (resume-themed) | Initial infection vector disguised as a resume document |
| File Name | .bat files (random names) |
Batch scripts dropped in C:UsersPublicVideos |
| File Name | .ps1 files (random names) |
PowerShell scripts dropped in C:UsersPublicVideos and C:UsersPublicPictures |
| File Name | .vbs files (random names) |
VBScript files dropped in C:UsersPublicVideos |
| File Name | p2.ps1 |
PowerShell script responsible for decryption and DLL setup |
| File Name | ProximityUxHost.exe |
Legitimate executable abused via DLL Side-Loading |
| File Name | ProximityCommon.dll |
Malicious DLL loaded via Side-Loading technique |
| File Name | settings.dat |
Xctdoor family backdoor injected into legitimate process |
| File Name | Microsoft.Bing.lnk |
Shortcut file created in startup programs path |
| Registry / Task | Office365 (Task Scheduler name) |
Scheduled task registered for persistence, runs VBScript every 10 minutes |
| File Path | C:UsersPublicVideos |
Drop location for initial script files |
| File Path | C:UsersPublicPicturesp2.ps1 |
Location of decoded second-stage PowerShell script |
| File Path | C:UsersPublicAppDataLocalPackagesMicrosoft.BingSearch365 |
Path where malicious components may reside |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.