Cybersecurity researchers have charted the evolution of XWorm malware, turning it into a flexible instrument for supporting a variety of malicious actions on compromised hosts.
“XWorm’s modular design is constructed round a core consumer and an array of specialised parts referred to as plugins,” Trellix researchers Niranjan Hegde and Sijo Jacob stated in an evaluation printed final week. “These plugins are basically extra payloads designed to hold out particular dangerous actions as soon as the core malware is energetic.”
XWorm, first noticed in 2022 and linked to a menace actor named EvilCoder, is a Swiss Military knife of malware that may facilitate information theft, keylogging, display screen seize, persistence, and even ransomware operations. It is primarily propagated through phishing emails and bogus websites promoting malicious ScreenConnect installers.
A few of the different instruments marketed by the developer embody a .NET-based malware builder, a distant entry trojan known as XBinder, and a program that may bypass Person Account Management (UAC) restrictions on Home windows methods. Lately, the event of XWorm has been led by a web-based persona known as XCoder.
In a report printed final month, Trellix detailed shifting XWorm an infection chains which have used Home windows shortcut (LNK) information distributed through phishing emails to execute PowerShell instructions that drop a innocent TXT file and a misleading executable masquerading as Discord, which then in the end launches the malware.
XWorm incorporates numerous anti-analysis and anti-evasion mechanisms to test for tell-tale indicators of a virtualized setting, and in that case, instantly stop its execution. The malware’s modularity means numerous instructions may be issued from an exterior server to carry out actions like shutting down or restarting the system, downloading information, opening URLs, and initiating DDoS assaults.
“This speedy evolution of XWorm throughout the menace panorama, and its present prevalence, highlights the vital significance of sturdy security measures to fight ever-changing threats,” the corporate famous.
XWorm’s operations have additionally witnessed their share of setbacks over the previous yr, an important being XCoder’s determination to delete their Telegram account abruptly within the second half of 2024, leaving the way forward for the instrument in limbo. Since then, nevertheless, menace actors have been noticed distributing a cracked model of XWorm model 5.6 that contained malware to contaminate different menace actors who could find yourself downloading it.
This included makes an attempt made by an unknown menace actor to trick script kiddies into downloading a trojanized model of the XWorm RAT builder through GitHub repositories, file-sharing companies, Telegram channels, and YouTube movies to compromise over 18,459 gadgets globally.
This has been complemented by attackers distributing modified variations of XWorm – considered one of which is a Chinese language variant codenamed XSPY – in addition to the invention of a distant code execution (RCE) vulnerability within the malware that enables attackers with the command-and-control (C2) encryption key to execute arbitrary code.
Whereas the obvious abandonment of XWorm by XCoder raised the likelihood that the undertaking was “closed for good,” Trellix stated it noticed a menace actor named XCoderTools providing XWorm 6.0 on cybercrime boards on Jun 4, 2025, for $500 for lifetime entry, describing it as a “absolutely re-coded” model with repair for the aforementioned RCE flaw. It is at the moment not identified if the most recent model is the work of the identical developer or another person capitalizing on the malware’s fame.
Campaigns distributing XWorm 6.0 within the wild have used malicious JavaScript information in phishing emails that, when opened, show a decoy PDF doc, whereas, within the background, PowerShell code is executed to inject the malware right into a professional Home windows course of like RegSvcs.exe with out elevating any consideration.
XWorm V6.0 is designed to connect with its C2 server at 94.159.113[.]64 on port 4411 and helps a command known as “plugin” to run greater than 35 DLL payloads on the contaminated host’s reminiscence and perform numerous duties.
“When the C2 server sends the command ‘plugin,’ it contains the SHA-256 hash of the plugin DLL file and the arguments for its invocation,” Trellix defined. “The consumer then makes use of the hash to test if the plugin has been beforehand acquired. If the secret’s not discovered, the consumer sends a ‘sendplugin’ command to the C2 server, together with the hash.”
“The C2 server then responds with the command’savePlugin’ together with a base64 encoded string containing the plugin and SHA-256 hash. Upon receiving and decoding the plugin, the consumer hundreds the plugin into the reminiscence.”
A few of the supported plugins in XWorm 6.x (6.0, 6.4, and 6.5) are listed under –
- RemoteDesktop.dll, to create a distant session to work together with the sufferer’s machine.
- WindowsUpdate.dll, Stealer.dll, Restoration.dll, merged.dll, Chromium.dll, and SystemCheck.Merged.dll, to steal the sufferer’s information, similar to Home windows product keys, Wi-Fi passwords, and saved credentials from net browsers (bypassing Chrome’s app-bound encryption) and different functions like FileZilla, Discord, Telegram, and MetaMask
- FileManager.dll, to facilitate filesystem entry and manipulation capabilities to the operator
- Shell.dll, to execute system instructions despatched by the operator in a hidden cmd.exe course of.
- Informations.dll, to assemble system details about the sufferer’s machine.
- Webcam.dll, to report the sufferer and to confirm if an contaminated machine is actual
- TCPConnections.dll, ActiveWindows.dll, and StartupManager.dll, to ship an inventory of energetic TCP connections, energetic home windows, and startup applications, respectively, to the C2 server
- Ransomware.dll, to encrypt and decrypt information and extort customers for a cryptocurrency ransom (shares code overlaps with NoCry ransomware)
- Rootkit.dll, to put in a modified r77 rootkit
- ResetSurvival.dll, to outlive system reset via Home windows Registry modifications
XWorm 6.0 infections, in addition to dropping customized instruments, have additionally served as a conduit for different malware households similar to DarkCloud Stealer, Hworm (VBS-based RAT), Snake KeyLogger, Coin Miner, Pure Malware, ShadowSniff Stealer (open-source Rust stealer), Phantom Stealer, Phemedrone Stealer, and Remcos RAT.
“Additional investigation of the DLL file revealed a number of XWorm V6.0 Builders on VirusTotal which are themselves contaminated with XWorm malware, suggesting that an XWorm RAT operator has been compromised by XWorm malware!,” Trellix stated.
“The sudden return of XWorm V6, armed with a flexible array of plugins for all the pieces from keylogging and credential theft to ransomware, serves as a robust reminder that no malware menace is ever really gone.”
