Heavily obfuscated batch file loads XWorm hosted on GitHub

In a nutshell:

• Low detection rate on VirusTotal (7/61)

• Abuses UTF-16 Byte Order Marker to confuse text editors (0xFFFE)

• Uses an open-source Batch obfuscator with multi-staged symbol mapping to build strings during execution

• Uses cacls.exe to verify whether the process is running with admin privileges

• Drops a VBS script to prompt a UAC dialog to elevate privileges

• Adjusts Windows Defender exclusion paths via PowerShell

• Downloads an instance of XWorm from a GitHub repository into a hidden file and executes it

• Batch → VBS → Batch → GitHub → XWorm