Hackers Abuse PowerShell, VBScript, and BAT Files to Deliver Xctdoor Backdoor via Fake Resumes
Attackers are distributing malicious LNK files disguised as resumes to deliver the Xctdoor backdoor, using PowerShell, VBScript, and BAT files in a multi-stage infection chain.
A new wave of cyberattacks is targeting corporate employees through files that look exactly like legitimate job documents. Hackers are distributing malicious LNK files disguised as resumes, and the moment a victim opens one, the infection quietly begins. The attack is sophisticated enough to fool cautious users, since the file shows a believable resume while running harmful scripts silently in the background.
What makes this campaign especially dangerous is how it abuses everyday Windows scripting tools. The attackers use PowerShell, VBScript, and BAT files working together to plant and activate a backdoor known as Xctdoor. This malware gives attackers ongoing access to a compromised machine while staying under the radar of standard security defenses. Researchers at ASEC, the security intelligence division of AhnLab, identified and analyzed this attack chain in detail.
According to an ASEC report, the threat uses a layered execution approach that creates multiple script files with random names in a public system directory, making it harder for defenders to spot. ASEC noted this infection flow is more difficult to detect than a straightforward malware execution because it blends disguised elements with legitimate system behavior.
The attack is particularly effective against departments that regularly open external documents, such as recruitment, sales, and customer support teams. Since resumes are a routine part of daily workflows, the risk of a user opening the malicious file without suspicion is very real. Security teams in organizations that handle high document volumes face a genuine challenge catching this threat early.
When a victim runs the malicious LNK file, a chain reaction begins in the background immediately. The file drops batch files (.bat), PowerShell scripts (.ps1), and VBScript files (.vbs) with randomly generated names into the C:\Users\Public\Videos\ directory. These scripts register a Task Scheduler entry named "Office365" that runs a VBScript file every ten minutes, keeping the malware continuously active. The PowerShell script downloads additional files from an external server using the curl command. Some files are Base64-encoded and, once decoded, are saved as additional PowerShell scripts in the C:\Users\Public\Pictures\ path.
A follow-up script named p2.ps1 creates a startup shortcut and decrypts the downloaded files to produce an executable, a DLL file, and supporting data files. The legitimate program ProximityUxHost.exe is then launched, and through DLL Side-Loading, the malicious ProximityCommon.dll loads alongside it. This technique allows attackers to run harmful code while making everything appear normal to the system. Analysis confirmed that settings.dat, a backdoor from the Xctdoor family, is injected into the legitimate process once the DLL loads.
DLL Side-Loading places a malicious DLL in the same folder as a trusted application, causing the real program to load the harmful file without knowing. In this case, Xctdoor rides into a trusted process without triggering obvious security alerts. Once active, it connects to an external C2 server, handing the threat actor live access within the victim's environment.
This multi-stage attack is difficult to detect because it combines multiple disguise layers, including fake documents, task names that mimic real services, and scheduled scripts that blend into normal activity. Security teams must regularly check the Task Scheduler for suspicious entries, especially anything named to look like a known business service, and remove them right away. ASEC advises users to always verify the actual file extension and origin of documents from unknown sources before opening. Known malicious files should be removed from the C:\Users\Public\AppData path if discovered during a system check.