Cybersecurity researchers have charted the evolution of XWorm malware, turning it into a flexible instrument for supporting a variety of malicious actions on compromised hosts.
“XWorm’s modular design is constructed round a core consumer and an array of specialised parts often called plugins,” Trellix researchers Niranjan Hegde and Sijo Jacob stated in an evaluation revealed final week. “These plugins are basically further payloads designed to hold out particular dangerous actions as soon as the core malware is lively.”
XWorm, first noticed in 2022 and linked to a menace actor named EvilCoder, is a Swiss Military knife of malware that may facilitate knowledge theft, keylogging, display seize, persistence, and even ransomware operations. It is primarily propagated by way of phishing emails and bogus websites promoting malicious ScreenConnect installers.
A few of the different instruments marketed by the developer embody a .NET-based malware builder, a distant entry trojan referred to as XBinder, and a program that may bypass Consumer Account Management (UAC) restrictions on Home windows programs. In recent times, the event of XWorm has been led by an internet persona referred to as XCoder.
In a report revealed final month, Trellix detailed shifting XWorm an infection chains which have used Home windows shortcut (LNK) recordsdata distributed by way of phishing emails to execute PowerShell instructions that drop a innocent TXT file and a misleading executable masquerading as Discord, which then in the end launches the malware.
XWorm incorporates numerous anti-analysis and anti-evasion mechanisms to test for tell-tale indicators of a virtualized setting, and if that’s the case, instantly stop its execution. The malware’s modularity means numerous instructions might be issued from an exterior server to carry out actions like shutting down or restarting the system, downloading recordsdata, opening URLs, and initiating DDoS assaults.
“This fast evolution of XWorm inside the menace panorama, and its present prevalence, highlights the essential significance of sturdy safety measures to fight ever-changing threats,” the corporate famous.
XWorm’s operations have additionally witnessed their share of setbacks over the previous 12 months, crucial being XCoder’s choice to delete their Telegram account abruptly within the second half of 2024, leaving the way forward for the instrument in limbo. Since then, nevertheless, menace actors have been noticed distributing a cracked model of XWorm model 5.6 that contained malware to contaminate different menace actors who might find yourself downloading it.
This included makes an attempt made by an unknown menace actor to trick script kiddies into downloading a trojanized model of the XWorm RAT builder by way of GitHub repositories, file-sharing providers, Telegram channels, and YouTube movies to compromise over 18,459 units globally.
This has been complemented by attackers distributing modified variations of XWorm – one in all which is a Chinese language variant codenamed XSPY – in addition to the invention of a distant code execution (RCE) vulnerability within the malware that enables attackers with the command-and-control (C2) encryption key to execute arbitrary code.
Whereas the obvious abandonment of XWorm by XCoder raised the chance that the venture was “closed for good,” Trellix stated it noticed a menace actor named XCoderTools providing XWorm 6.0 on cybercrime boards on Jun 4, 2025, for $500 for lifetime entry, describing it as a “totally re-coded” model with repair for the aforementioned RCE flaw. It is at present not recognized if the newest model is the work of the identical developer or another person capitalizing on the malware’s popularity.
Campaigns distributing XWorm 6.0 within the wild have used malicious JavaScript recordsdata in phishing emails that, when opened, show a decoy PDF doc, whereas, within the background, PowerShell code is executed to inject the malware right into a reputable Home windows course of like RegSvcs.exe with out elevating any consideration.
XWorm V6.0 is designed to hook up with its C2 server at 94.159.113[.]64 on port 4411 and helps a command referred to as “plugin” to run greater than 35 DLL payloads on the contaminated host’s reminiscence and perform numerous duties.
“When the C2 server sends the command ‘plugin,’ it consists of the SHA-256 hash of the plugin DLL file and the arguments for its invocation,” Trellix defined. “The consumer then makes use of the hash to test if the plugin has been beforehand obtained. If the secret’s not discovered, the consumer sends a ‘sendplugin’ command to the C2 server, together with the hash.”
“The C2 server then responds with the command’savePlugin’ together with a base64 encoded string containing the plugin and SHA-256 hash. Upon receiving and decoding the plugin, the consumer masses the plugin into the reminiscence.”
A few of the supported plugins in XWorm 6.x (6.0, 6.4, and 6.5) are listed under –
RemoteDesktop.dll, to create a distant session to work together with the sufferer’s machine.
WindowsUpdate.dll, Stealer.dll, Restoration.dll, merged.dll, Chromium.dll, and SystemCheck.Merged.dll, to steal the sufferer’s knowledge, corresponding to Home windows product keys, Wi-Fi passwords, and saved credentials from internet browsers (bypassing Chrome’s app-bound encryption) and different functions like FileZilla, Discord, Telegram, and MetaMask
FileManager.dll, to facilitate filesystem entry and manipulation capabilities to the operator
Shell.dll, to execute system instructions despatched by the operator in a hidden cmd.exe course of.
Informations.dll, to collect system details about the sufferer’s machine.
Webcam.dll, to document the sufferer and to confirm if an contaminated machine is actual
TCPConnections.dll, ActiveWindows.dll, and StartupManager.dll, to ship an inventory of lively TCP connections, lively home windows, and startup applications, respectively, to the C2 server
Ransomware.dll, to encrypt and decrypt recordsdata and extort customers for a cryptocurrency ransom (shares code overlaps with NoCry ransomware)
Rootkit.dll, to put in a modified r77 rootkit
ResetSurvival.dll, to outlive gadget reset by Home windows Registry modifications
XWorm 6.0 infections, moreover dropping customized instruments, have additionally served as a conduit for different malware households corresponding to DarkCloud Stealer, Hworm (VBS-based RAT), Snake KeyLogger, Coin Miner, Pure Malware, ShadowSniff Stealer (open-source Rust stealer), Phantom Stealer, Phemedrone Stealer, and Remcos RAT.
“Additional investigation of the DLL file revealed a number of XWorm V6.0 Builders on VirusTotal which can be themselves contaminated with XWorm malware, suggesting that an XWorm RAT operator has been compromised by XWorm malware!,” Trellix stated.
“The sudden return of XWorm V6, armed with a flexible array of plugins for every thing from keylogging and credential theft to ransomware, serves as a strong reminder that no malware menace is ever really gone.”
