Multiple Ransomware and Malware Campaigns Resurface with Enhanced Capabilities
Several distinct malware and ransomware campaigns have resurfaced with new variants and advanced features, targeting organizations globally. The XWorm remote access trojan (RAT) has re-emerged in its version 6.0, now featuring a modular architecture that includes a ransomware plugin and advanced evasion techniques. This new version of XWorm is designed to bypass security defenses more effectively, increasing the risk of successful intrusions and data encryption. Meanwhile, the WARMCOOKIE malware has also returned after a previous takedown, now equipped with stealth handlers and utilizing expired command-and-control (C2) certificates to evade detection. The use of expired certificates is a novel tactic that complicates network monitoring and threat hunting efforts. In a separate development, the Russian-speaking Lunar Spider cybercriminal group has launched a new wave of ransomware attacks, leveraging the Latrodectus V2 loader to deliver their payloads. This loader is known for its sophisticated delivery mechanisms and ability to bypass traditional security controls. The Lunar Spider group’s campaign demonstrates a continued evolution in ransomware delivery, with a focus on maximizing infection rates and minimizing detection. Concurrently, ransomware groups Qilin and Gunra have been actively targeting South Korean organizations, with Qilin listing nine asset management firms and an engineering services company as victims, and Gunra compromising a gas manufacturing and supply company. These attacks highlight a trend of ransomware operators focusing on critical infrastructure and financial sectors in South Korea. The resurgence of these malware and ransomware families underscores the persistent threat posed by cybercriminal groups who continuously adapt their tools and techniques. Security researchers have observed that the modularity and stealth features in these new variants make them more challenging to detect and remediate. Organizations are advised to update their threat intelligence feeds and enhance monitoring for indicators of compromise associated with XWorm, WARMCOOKIE, and Latrodectus. The use of expired C2 certificates and advanced evasion tactics signals a shift in attacker methodologies, requiring defenders to adapt their detection strategies. The targeting of multiple sectors, including finance, engineering, and energy, demonstrates the broad scope of current ransomware campaigns. Incident response teams should be prepared for multi-stage attacks that leverage loaders like Latrodectus to deploy ransomware. The ongoing activity from groups such as Lunar Spider, Qilin, and Gunra indicates a high level of coordination and resourcefulness among threat actors. The rapid re-emergence of previously disrupted malware families suggests that takedown efforts may only provide temporary relief. Security teams should prioritize patching, network segmentation, and user awareness training to mitigate the risk of infection. Collaboration with threat intelligence providers can offer early warning of emerging threats and support proactive defense measures. The evolving landscape of ransomware and malware campaigns requires continuous vigilance and adaptation by defenders.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
XWorm V6.0 returns with ransomware plugin and advanced evasion
Researchers reported the re-emergence of XWorm in a new 6.0 version featuring a modular RAT design, a ransomware plugin, and enhanced evasion capabilities. The update signals a notable evolution in the malware's functionality.
WARMCOOKIE resurfaces with stealth handlers and expired C2 certificates
A new report said WARMCOOKIE reappeared after an earlier takedown, with a new variant adding stealth handlers and using expired command-and-control certificates. This represents a renewed malware operation with updated evasion features.
AhnLab documents ransomware and dark web activity in early October
AhnLab ASEC published its Week 1 October 2025 roundup covering ransomware and dark web developments. The reference indicates ongoing threat activity being tracked during the first week of October.
Lunar Spider launches new ransomware wave with Latrodectus V2
Researchers reported a new ransomware campaign attributed to the Russian-speaking Lunar Spider group using the Latrodectus V2 loader, marking a fresh wave of activity. The reporting indicates a new operational phase for the threat actor and malware delivery chain.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
XWorm V6.0 Resurfaces: Modular RAT Returns with Ransomware Plugin and Advanced Evasion
securityonline.info
Open sourceWARMCOOKIE Resurfaces After Takedown: New Variant Adds Stealth Handlers, Uses Expired C2 Certificates
securityonline.info
Open sourceRussian-Speaking Lunar Spider Group Launches New Ransomware Wave with Latrodectus V2 Loader
securityonline.info
Open sourceRansom & Dark Web Issues Week 1, October 2025
asec.ahnlab.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
XWorm 6.0 Malware Resurgence with Enhanced Plugins and Ransomware Capabilities
XWorm, a modular remote access trojan (RAT) first observed in 2022, has re-emerged in the threat landscape with significant enhancements in its latest versions, including 6.0, 6.4, and 6.5. The malware, originally developed by an individual known as XCoder, has evolved into a highly versatile tool capable of supporting a wide array of malicious activities on compromised Windows hosts. After XCoder abandoned the project and deleted their Telegram accounts, multiple threat actors began distributing cracked versions of XWorm, leading to a surge in its adoption and deployment. The new variants now support over 35 specialized plugins, enabling functionalities such as data theft from browsers and applications, keylogging, screen capture, clipboard monitoring, and even ransomware operations that can encrypt or decrypt files. XWorm’s modular design allows operators to issue commands from external servers, including downloading files, opening URLs, shutting down or restarting systems, and launching distributed denial-of-service (DDoS) attacks. The malware is primarily propagated through phishing emails and malicious websites, often using deceptive installers for legitimate software like ScreenConnect or Discord. Infection chains have been observed leveraging Windows shortcut (LNK) files and malicious JavaScript to execute PowerShell commands, sometimes bypassing Antimalware Scan Interface protections. The last version developed by XCoder, 5.6, contained a remote code execution vulnerability, which has been addressed in the newer releases. XWorm’s anti-analysis and anti-evasion mechanisms allow it to detect virtualized environments and cease execution to avoid detection. The malware’s popularity is underscored by campaigns that have resulted in tens of thousands of infections, with significant activity noted in countries such as Russia, the United States, India, Ukraine, and Turkey. Some threat actors have even used XWorm as a lure to target less-skilled cybercriminals, embedding backdoors to steal data from those attempting to use the malware. Security researchers, particularly from Trellix, have documented a marked increase in XWorm samples on platforms like VirusTotal since June, indicating widespread adoption among cybercriminals. The rapid evolution and prevalence of XWorm highlight the critical need for robust security measures, user awareness, and advanced detection capabilities to mitigate the risks posed by this adaptable malware. Organizations are advised to monitor for phishing campaigns, scrutinize suspicious attachments and downloads, and ensure endpoint protection solutions are updated to detect the latest XWorm variants. The ongoing development and distribution of XWorm by multiple actors suggest that it will remain a persistent threat in the cybercrime ecosystem.
Mar 21, 2026
Recent Ransomware and Malware Campaigns Targeting Organizations and Individuals
A surge in sophisticated cyberattacks has been observed, with threat actors employing a variety of tactics to compromise organizations and individuals. Notable incidents include the use of the BYOVD (Bring Your Own Vulnerable Driver) technique to deploy DeadLock ransomware, as well as targeted campaigns leveraging phishing emails with HR-related lures to distribute Remcos RAT malware. Additionally, attackers are exploiting popular movie torrents to spread Agent Tesla via layered PowerShell scripts, and Android users in Spain are being targeted by the DroidLock ransomware, which can hijack devices and demand ransom through full-screen overlays. These campaigns demonstrate a trend toward multi-stage infection chains, abuse of legitimate tools and drivers, and the use of social engineering to increase the likelihood of successful compromise. Other significant developments include the targeting of Canadian organizations by the STAC6565/Gold Blade group using QWCrypt ransomware, and the emergence of new threat actor tactics such as disabling endpoint detection and response (EDR) systems to facilitate ransomware deployment. The threat landscape is further complicated by the activities of groups like Scattered Lapsus$ Hunters, who use social engineering and typosquatted domains to compromise Zendesk users, and the exposure of internal dynamics within ransomware groups like BlackBasta, revealing operational stress and internal mistrust. These incidents underscore the evolving nature of cyber threats, the blending of espionage and financial motives, and the increasing sophistication of both technical and social attack vectors.
Mar 21, 2026
Ransomware Groups Innovate with Supply Chain Attacks and Credential Harvesting
Ransomware operators are increasingly leveraging supply chain attacks and credential harvesting to expand their reach and maximize profits. Notable groups such as Qilin, Akira, Sinobi, INC Ransom, and Play have been identified as leading actors, with the Clop group repeatedly exploiting zero-day vulnerabilities in widely used software, including managed file transfer solutions and Oracle E-Business Suite, to compromise multiple organizations simultaneously. The volume of ransomware victims listed on data leak sites surged by one-third from September to October, according to Cyble, highlighting the persistent threat posed by these actors. Despite a decrease in total ransom payments from $1.25 billion in 2023 to $814 million in 2024, ransomware groups are actively innovating to reverse this trend, including launching new affiliate programs and refining their attack techniques. However, some operations have suffered from sloppy coding, occasionally resulting in unrecoverable data. The continued evolution of ransomware tactics underscores the need for organizations to strengthen defenses against both direct and supply chain threats, as well as to monitor for credential harvesting activities that may precede future attacks.
Mar 21, 2026