Malware Campaign Uses SVG Email Attachments to Deploy XWorm and Remcos RAT

Recent threat campaigns have revealed an evolving use of BAT-based loaders to deliver Remote Access Trojans (RATs), including XWorm and Remcos.

These campaigns typically begin with a ZIP archive—often hosted on seemingly legitimate platforms such as ImgKit—designed to entice user interaction by mimicking benign content. Once opened, the archive unpacks a highly obfuscated BAT script that orchestrates the rest of the infection chain.

Upon extraction, the ZIP file drops a BAT script that employs multiple layers of obfuscation to evade static detection engines.

When executed, this script spins up a PowerShell-based loader that injects the RAT payload directly into memory, achieving fileless execution to bypass traditional endpoint defenses.

Security researchers have documented two primary delivery methods: as an email attachment within an EML file and via a URL pointing to ImgKit.

The flexibility in distribution channels suggests threat actors are iterating on their delivery ...