Hello and welcome to the Thursday, March 5th, 2026 edition of the Sands Internet Storm Centers, Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the sands.edu graduate certificate program in

Purple Team Operations. Well, Xavier today is asking, do you want more X-Worm? Because that's the sample

that Xavier is looking at today, including the infection chain that actually gets you to the actual X-Worm sample.

Ex-Worm remains one of the favorite payloads deployed by the miscreants out there,

starts in this case with a simple fishing email that has, well, yet again, a seven-sip attachment.

That unsips then to JavaScript, and we have seen this now

for so many years, this sort of compressed JavaScript thing, not sure why filters or so

don't really catch on to this yet. Then it becomes PowerShell, and then it actually injects itself into the Dotnet

compiler. That's sort of where it loads the DLL until it loads the actual X-Worm payload.

So somewhat convoluted, the infection chain here, Xavier walks you through the reverse analysis

of this particular sample,

how to get from the JavaScript, which actually Xavier just executes in the sandbox,

all the way to the X-form payload.

And another problem that has been haunting us for years now is malicious search engine optimization, where attackers are either outright

buying ads in search engines or they are placing content around the internet that in all

points to malicious content if a particular user is searching for a popular term. Well, this is now

happening also with some of the AI search engines.

Many search engines, Google, Bing, Yahoo, they all now have these AI search engines,

and you probably have all seen them where you search for something. And at the top of the page,

you'll get sort of that little AI blurb trying to summarize

...