CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 18, 2026

Hackers Abuse PowerShell, VBScript, and BAT Files to Deliver Xctdoor Backdoor

Cybersecurity News Archived Jun 18, 2026 ✓ Full text saved

A new wave of cyberattacks is targeting corporate employees through files that look exactly like legitimate job documents. Hackers are distributing malicious LNK files disguised as resumes, and the moment a victim opens one, the infection quietly begins. The attack is sophisticated enough to fool cautious users, since the file shows a believable resume while […] The post Hackers Abuse PowerShell, VBScript, and BAT Files to Deliver Xctdoor Backdoor appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Abuse PowerShell, VBScript, and BAT Files to Deliver Xctdoor Backdoor By Tushar Subhra Dutta June 18, 2026 A new wave of cyberattacks is targeting corporate employees through files that look exactly like legitimate job documents. Hackers are distributing malicious LNK files disguised as resumes, and the moment a victim opens one, the infection quietly begins. Hackingnews updates The attack is sophisticated enough to fool cautious users, since the file shows a believable resume while running harmful scripts silently in the background. What makes this campaign especially dangerous is how it abuses everyday Windows scripting tools. The attackers use PowerShell, VBScript, and BAT files working together to plant and activate a backdoor known as Xctdoor. This malware gives attackers ongoing access to a compromised machine while staying under the radar of standard security defenses. Researchers at ASEC, the security intelligence division of AhnLab, identified and analyzed this attack chain in detail. AccordingASEC report shared with Cyber Security News (CSN), the threat uses a layered execution approach that creates multiple script files with random names in a public system directory, making it harder for defenders to spot. ASEC noted this infection flow is more difficult to detect than a straightforward malware execution because it blends disguised elements with legitimate system behavior. Malwaredetection software The attack is particularly effective against departments that regularly open external documents, such as recruitment, sales, and customer support teams. Since resumes are a routine part of daily workflows, the risk of a user opening the malicious file without suspicion is very real. Security teams in organizations that handle high document volumes face a genuine challenge catching this threat early. The Xctdoor backdoor belongs to a malware family built for long-term access to infected machines. Once deployed, it communicates with an external command and control server, allowing attackers to run actions remotely at any time. Its persistence mechanisms ensure the malware survives system reboots, keeping the attacker’s access open even after a machine restarts. Hackers Abuse PowerShell, VBScript, and BAT Files When a victim runs the malicious LNK file, a chain reaction begins in the background immediately. The file drops batch files (.bat), PowerShell scripts (.ps1), and VBScript files (.vbs) with randomly generated names into the C:\Users\Public\Videos\ directory. These scripts register a Task Scheduler entry named “Office365” that runs a VBScript file every ten minutes, keeping the malware continuously active. The PowerShell script downloads additional files from an external server using the curl command. Some files are Base64-encoded and, once decoded, are saved as additional PowerShell scripts in the C:\Users\Public\Pictures\ path. A follow-up script named p2.ps1 creates a startup shortcut and decrypts the downloaded files to produce an executable, a DLL file, and supporting data files. ComputerScience Registered Task Scheduler (Source – ASEC) The legitimate program ProximityUxHost.exe is then launched, and through DLL Side-Loading, the malicious ProximityCommon.dll loads alongside it. This technique allows attackers to run harmful code while making everything appear normal to the system. Analysis confirmed that settings.dat, a backdoor from the Xctdoor family, is injected into the legitimate process once the DLL loads. DLL Side-Loading and the Xctdoor Backdoor DLL Side-Loading places a malicious DLL in the same folder as a trusted application, causing the real program to load the harmful file without knowing. In this case, Xctdoor rides into a trusted process without triggering obvious security alerts. Once active, it connects to an external C2 server, handing the threat actor live access within the victim’s environment. Part of the Xctdoor code (Source – ASEC) This multi-stage attack is difficult to detect because it combines multiple disguise layers, including fake documents, task names that mimic real services, and scheduled scripts that blend into normal activity. Security teams must regularly check the Task Scheduler for suspicious entries, especially anything named to look like a known business service, and remove them right away. ASEC advises users to always verify the actual file extension and origin of documents from unknown sources before opening. Known malicious files should be removed from the C:\Users\Public\AppData path if discovered during a system check. Staying current with threat intelligence updates is key to catching related indicators quickly. Indicators of Compromise (IoCs):- Type Indicator Description File Name Malicious LNK file (resume-themed) Initial infection vector disguised as a resume document File Name .bat files (random names) Batch scripts dropped in C:\Users\Public\Videos\ File Name .ps1 files (random names) PowerShell scripts dropped in C:\Users\Public\Videos\ and C:\Users\Public\Pictures\ File Name .vbs files (random names) VBScript files dropped in C:\Users\Public\Videos\ File Name p2.ps1 PowerShell script responsible for decryption and DLL setup File Name ProximityUxHost.exe Legitimate executable abused via DLL Side-Loading File Name ProximityCommon.dll Malicious DLL loaded via Side-Loading technique File Name settings.dat Xctdoor family backdoor injected into legitimate process File Name Microsoft.Bing.lnk Shortcut file created in startup programs path Registry / Task Office365 (Task Scheduler name) Scheduled task registered for persistence, runs VBScript every 10 minutes File Path C:\Users\Public\Videos\ Drop location for initial script files File Path C:\Users\Public\Pictures\p2.ps1 Location of decoded second-stage PowerShell script File Path C:\Users\Public\AppData\Local\Packages\Microsoft.BingSearch365 Path where malicious components may reside Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Microsoft Confirms Defender RoguePlanet 0-Day Exploit and Working to Release Patch GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions New OnionDrop Loader Campaign Uses gainmsg C2 to Deliver LegionLoader Payloads Hackers Actively Exploiting WordPress SMTP Plugin With 100,000+ Installs to Access Sensitive Data Novo Nordisk Confirms Cyber Attack — Hackers Accessed Patient Medical Data and Internal AI Assets Latest News Cyber Security News Microsoft Office Applications Might Fail to Open Following Windows 11 June Update Cyber Security News Hackers Actively Exploiting WordPress SMTP Plugin With 100,000+ Installs to Access Sensitive Data Cyber Security News Splunk AI Toolkit Vulnerability Enables Arbitrary OS Command Execution Attacks Cyber Security Microsoft Confirms Defender RoguePlanet 0-Day Exploit and Working to Release Patch AI Google Cloud Vertex AI Allows Attacker to Hijack Victim’s Model and Poison it
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 18, 2026
    Archived
    Jun 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗