Skip to main content
Mallory
Back to malware
MalwareRansomware

X-Worm

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence1
TacticInitial Access

The X-Worm malware is being spread through a phishing email... An attacker sent an email with a shortened link that, when clicked, triggered the download of a file named Itinerary.doc_.zip.

T1566.002Spearphishing LinkEvidence1
TacticInitial Access

An attacker sent an email with a shortened link that, when clicked, triggered the download of a file named Itinerary.doc_.zip.

Execution

2 techniques
T1059.003Windows Command ShellEvidence1
TacticExecution

This .lnk file was used to download and run a malicious batch script (output4.bat).

T1197BITS JobsEvidence1
TacticsExecutionPersistenceStealth

The .lnk file was used to download and run a malicious batch script (output4.bat), which employed bitsadmin to download a harmful payload, disguised as svchost.com, into the %temp% folder.

Persistence

2 techniques
T1197BITS JobsEvidence1
TacticsExecutionPersistenceStealth

The .lnk file was used to download and run a malicious batch script (output4.bat), which employed bitsadmin to download a harmful payload, disguised as svchost.com, into the %temp% folder.

T1547.009Shortcut ModificationEvidence1
TacticsPersistencePrivilege Escalation

The downloaded .zip file contained a shortcut file (.lnk). This .lnk file was used to download and run a malicious batch script (output4.bat).

Privilege Escalation

1 technique
T1547.009Shortcut ModificationEvidence1
TacticsPersistencePrivilege Escalation

The downloaded .zip file contained a shortcut file (.lnk). This .lnk file was used to download and run a malicious batch script (output4.bat).

Stealth

3 techniques
T1027Obfuscated Files or InformationEvidence1
TacticStealth

The svchost.com file... was part of the XWorm malware family, protected by .NET Reactor. The malware's code was heavily obfuscated... MD5 hashing, AES encryption in ECB mode, and Base64 decoding to decrypt strings.

T1036MasqueradingEvidence1
TacticStealth

...download a harmful payload, disguised as svchost.com, into the %temp% folder.

T1197BITS JobsEvidence1
TacticsExecutionPersistenceStealth

The .lnk file was used to download and run a malicious batch script (output4.bat), which employed bitsadmin to download a harmful payload, disguised as svchost.com, into the %temp% folder.

Collection

1 technique
T1560Archive Collected DataEvidence1
TacticCollection

The downloaded .zip file contained a shortcut file (.lnk).

Command and Control

1 technique
T1071Application Layer ProtocolEvidence1
TacticCommand and Control

The malware’s configuration included a host (cyberdon1[.]duckdns[.]org), port (1500), and other parameters like a Telegram token and chat ID.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
help net securityNews
Jun 3, 2026
Malware campaign targeting Minecraft users infects over 116,000 systems - Help Net Security

Referenced as a malware-as-a-service malware family used as a pricing comparison against WeedHack.

Read more
mcafee labsNews
Jun 2, 2026
Game Over: WeedHack - The Rise of Minecraft Malware-as-a-Service Campaigns | McAfee Blog

Referenced as another commercially available malware offering, noted for lifetime subscription pricing.

Read more
contagiodump blogNews
Sep 19, 2024
contagio: 2024-09-19 X-WORM RAT (Phishing) Samples

X-Worm is a malware family with capabilities ranging from remote access trojan functionality to ransomware. In this campaign it was delivered via a phishing email containing a shortened link that led to a ZIP archive with an LNK file, which downloaded and executed a batch script that used bitsadmin to fetch the final payload disguised as svchost.com. The analyzed sample was identified as XWorm version 5.6 and included configuration data such as a C2 host, port, Telegram token, and chat ID.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.