Cybersecurity researchers have charted the evolution of XWorm malware, and consequently turned it into a versatile tool that supports a wide range of malicious actions on compromised hosts.
“XWorm’s modular design is built around a core client and an array of specialized components known as plugins,” Trellix researchers Niranjan Hegde and Sijo Jacob said in an analysis published last week. “These plugins are essentially additional payloads designed to carry out specific harmful actions once the core malware is active.”
XWorm Malware
XWorm, which first appeared in 2022 and which security teams have linked to a threat actor named EvilCoder, functions as a Swiss Army knife of malware: it can facilitate data theft, keylogging, screen capture, persistence, and even ransomware operations. Moreover, threat actors primarily propagate it via phishing emails and bogus sites that advertise malicious ScreenConnect installers.
Some of the other tools the developer advertises include a .NET-based malware builder, a remote access trojan called XBinder, and a program that can bypass User Account Control (UAC) restrictions on Windows systems. In recent years, an online persona called XCoder has led XWorm’s development.
In a report published last month, Trellix detailed shifting XWorm infection chains that used Windows shortcut (LNK) files sent in phishing emails to execute PowerShell commands. These commands drop a harmless TXT file and a deceptive executable that masquerades as Discord, and then the executable ultimately launches the malware.
XWorm also incorporates various anti-analysis and anti-evasion mechanisms to check for telltale signs of a virtualized environment, and if the malware detects such an environment, it immediately stops executing. Because of its modularity, attackers can issue various commands from an external server to perform actions like shutting down or restarting the system, downloading files, opening URLs, and initiating DDoS attacks.
“This rapid evolution of XWorm within the threat landscape, and its current prevalence, highlights the critical importance of robust security measures to combat ever-changing threats,” the company noted.
It’s operation
XWorm’s operations also suffered setbacks over the past year; most notably, XCoder deleted their Telegram account abruptly in the second half of 2024, which left the tool’s future in limbo. However, since that deletion, observers have seen threat actors distribute a cracked version of XWorm version 5.6 that contained malware intended to infect other threat actors who downloaded it.
For example, an unknown threat actor attempted to trick script kiddies into downloading a trojanized version of the XWorm RAT builder via GitHub repositories, file-sharing services, Telegram channels, and YouTube videos, and in doing so sought to compromise more than 18,459 devices globally.
Attackers also distributed modified versions of XWorm — including a Chinese variant codenamed XSPY — and researchers discovered a remote code execution (RCE) vulnerability in the malware that allows anyone possessing the command-and-control (C2) encryption key to execute arbitrary code.
XWorm 6.0
While the apparent abandonment of XWorm by XCoder initially suggested that the project was “closed for good,” Trellix later spotted a threat actor named XCoderTools offering XWorm 6.0 on cybercrime forums on June 4, 2025, for $500 in lifetime access. The seller described it as a “fully re-coded” version that includes a fix for the previously mentioned RCE flaw. However, it remains unclear whether the latest version comes from the same developer or from someone else exploiting the malware’s notorious reputation.
Soon after, campaigns distributing XWorm 6.0 in the wild began using malicious JavaScript files attached to phishing emails. When victims opened these files, the scripts displayed a decoy PDF document while secretly executing PowerShell code in the background. That code injected the malware into a legitimate Windows process like RegSvcs.exe, allowing it to operate unnoticed.
XWorm V6.0 connects to its C2 server at 94.159.113[.]64 on port 4411 and supports a command called “plugin,” which runs more than 35 DLL payloads directly in the infected host’s memory to perform a wide range of tasks.
“When the C2 server sends the command ‘plugin,’ it includes the SHA-256 hash of the plugin DLL file and the arguments for its invocation,” Trellix explained. “The client then uses the hash to check if the plugin has been previously received. If the key is not found, the client sends a ‘sendplugin’ command to the C2 server, along with the hash.”
“The C2 server then responds with the command ‘savePlugin’ along with a base64 encoded string containing the plugin and SHA-256 hash. Upon receiving and decoding the plugin, the client loads the plugin into the memory.”
Conclusion
Trellix listed several plugins supported by XWorm 6.x (versions 6.0, 6.4, and 6.5):
- RemoteDesktop.dll – creates a remote session to let operators interact with the victim’s machine.
- WindowsUpdate.dll, Stealer.dll, Recovery.dll, merged.dll, Chromium.dll, and SystemCheck.Merged.dll – steal data such as Windows product keys, Wi-Fi Passwords, and stored credentials from browsers (bypassing Chrome’s app-bound encryption) and applications like FileZilla, Discord, Telegram, and MetaMask.
- FileManager.dll – provides full file system access and Manipulation capabilities.
- Shell.dll – executes system commands sent by the operator in a hidden cmd.exe process.
- Informations.dll – collects detailed system information about the Victim’s machine.
- Webcam.dll – records victims and verifies whether an infected device belongs to a real person.
- TCPConnections.dll, ActiveWindows.dll, and StartupManager.dll – Transmit lists of active TCP connections, open windows, and startup programs to the C2 server.
- Ransomware.dll – Encrypts and Decrypts files to extort victims for Cryptocurrency ransom, sharing code Overlaps with the NoCry Ransomware.
- Rootkit.dll – installs a Modified r77 rootkit.
- ResetSurvival.dll – ensures Persistence by Modifying Windows Registry Settings to survive device resets.
Beyond Deploying its own tools, XWorm 6.0 infections have also delivered other malware families, including DarkCloud Stealer, Hworm (a VBS-based RAT), Snake KeyLogger, Coin Miner, Pure Malware, ShadowSniff Stealer (an Open-source Rust stealer), Phantom Stealer, Phemedrone Stealer, and Remcos RAT.
“Further investigation of the DLL file revealed multiple XWorm V6.0 Builders on VirusTotal that are themselves infected with XWorm malware, suggesting that an XWorm RAT operator has been compromised by XWorm malware!,” Trellix said.
Ultimately, the unexpected return of XWorm V6 — armed with a vast array of plugins for Keylogging, Credential theft, Ransomware, and more — Underscores a critical truth: no malware threat ever truly disappears.
Source: TheHackerNews
Read more at Impreza News
