216.73.216.133

Abusing Paste.ee to Deploy XWorm and AsyncRAT Across Global C2 Infrastructure

· Published 06/06/2025 11:02 · Modified 08/06/2025 16:47

Export JSON

Essential information

Published
06/06/2025 11:02
Modified
08/06/2025 16:47
Tags
2025-06-06 asyncrat c2 infrastructure obfuscation paste.ee remcosrat remote access trojan ssl certificates xworm
Related entities
12 observables, 14 techniques (mitre), 3 malware, 3 others

Description

A sophisticated malware campaign has been discovered utilizing to distribute and . The attackers employ obfuscated JavaScript with Unicode characters to download and execute malicious code from URLs. The infrastructure includes multiple C2 servers across Europe and the US, using specific ports and . , a stealthy RAT, captures keystrokes, exfiltrates data, and maintains persistent remote access. , an open-source trojan, is also part of the campaign. The attackers use a network of IP addresses and domains, with some hosted by QuadraNet Enterprises LLC and dataforest GmbH. Defenders are advised to block identified domains, monitor suspicious connections, and update security software to detect unusual behavior.

External references