A new wave of cyberattacks is targeting corporate employees through files that look exactly like legitimate job documents.
Hackers are distributing malicious LNK files disguised as resumes, and the moment a victim opens one, the infection quietly begins.
The attack is sophisticated enough to fool cautious users, since the file shows a believable resume while running harmful scripts silently in the background.
What makes this campaign especially dangerous is how it abuses everyday Windows scripting tools. The attackers use PowerShell, VBScript, and BAT files working together to plant and activate a backdoor known as Xctdoor.
This malware gives attackers ongoing access to a compromised machine while staying under the radar of standard security defenses.
Researchers at ASEC, the security intelligence division of AhnLab, identified and analyzed this attack chain in detail.
AccordingASEC report shared with Cyber Security News (CSN), the threat uses a layered execution approach that creates multiple script files with random names in a public system directory, making it harder for defenders to spot.
ASEC noted this infection flow is more difficult to detect than a straightforward malware execution because it blends disguised elements with legitimate system behavior.
The attack is particularly effective against departments that regularly open external documents, such as recruitment, sales, and customer support teams.
Since resumes are a routine part of daily workflows, the risk of a user opening the malicious file without suspicion is very real. Security teams in organizations that handle high document volumes face a genuine challenge catching this threat early.
The Xctdoor backdoor belongs to a malware family built for long-term access to infected machines. Once deployed, it communicates with an external command and control server, allowing attackers to run actions remotely at any time.
Its persistence mechanisms ensure the malware survives system reboots, keeping the attacker’s access open even after a machine restarts.
Hackers Abuse PowerShell, VBScript, and BAT Files
When a victim runs the malicious LNK file, a chain reaction begins in the background immediately.
The file drops batch files (.bat), PowerShell scripts (.ps1), and VBScript files (.vbs) with randomly generated names into the C:\Users\Public\Videos\ directory.
These scripts register a Task Scheduler entry named “Office365” that runs a VBScript file every ten minutes, keeping the malware continuously active.
The PowerShell script downloads additional files from an external server using the curl command. Some files are Base64-encoded and, once decoded, are saved as additional PowerShell scripts in the C:\Users\Public\Pictures\ path.
A follow-up script named p2.ps1 creates a startup shortcut and decrypts the downloaded files to produce an executable, a DLL file, and supporting data files.
Registered Task Scheduler (Source – ASEC)
The legitimate program ProximityUxHost.exe is then launched, and through DLL Side-Loading, the malicious ProximityCommon.dll loads alongside it.
This technique allows attackers to run harmful code while making everything appear normal to the system. Analysis confirmed that settings.dat, a backdoor from the Xctdoor family, is injected into the legitimate process once the DLL loads.
DLL Side-Loading and the Xctdoor Backdoor
DLL Side-Loading places a malicious DLL in the same folder as a trusted application, causing the real program to load the harmful file without knowing.
In this case, Xctdoor rides into a trusted process without triggering obvious security alerts. Once active, it connects to an external C2 server, handing the threat actor live access within the victim’s environment.
Part of the Xctdoor code (Source – ASEC)
This multi-stage attack is difficult to detect because it combines multiple disguise layers, including fake documents, task names that mimic real services, and scheduled scripts that blend into normal activity.
Security teams must regularly check the Task Scheduler for suspicious entries, especially anything named to look like a known business service, and remove them right away.
ASEC advises users to always verify the actual file extension and origin of documents from unknown sources before opening.
Known malicious files should be removed from the C:\Users\Public\AppData path if discovered during a system check. Staying current with threat intelligence updates is key to catching related indicators quickly.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionFile NameMalicious LNK file (resume-themed)Initial infection vector disguised as a resume documentFile Name.bat files (random names)Batch scripts dropped in C:\Users\Public\Videos\File Name.ps1 files (random names)PowerShell scripts dropped in C:\Users\Public\Videos\ and C:\Users\Public\Pictures\File Name.vbs files (random names)VBScript files dropped in C:\Users\Public\Videos\File Namep2.ps1PowerShell script responsible for decryption and DLL setupFile NameProximityUxHost.exeLegitimate executable abused via DLL Side-LoadingFile NameProximityCommon.dllMalicious DLL loaded via Side-Loading techniqueFile Namesettings.datXctdoor family backdoor injected into legitimate processFile NameMicrosoft.Bing.lnkShortcut file created in startup programs pathRegistry / TaskOffice365 (Task Scheduler name)Scheduled task registered for persistence, runs VBScript every 10 minutesFile PathC:\Users\Public\Videos\Drop location for initial script filesFile PathC:\Users\Public\Pictures\p2.ps1Location of decoded second-stage PowerShell scriptFile PathC:\Users\Public\AppData\Local\Packages\Microsoft.BingSearch365Path where malicious components may reside
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Abuse PowerShell, VBScript, and BAT Files to Deliver Xctdoor Backdoor appeared first on Cyber Security News.
