XWorm 6.0 Malware Resurgence with Enhanced Plugins and Ransomware Capabilities
XWorm, a modular remote access trojan (RAT) first observed in 2022, has re-emerged in the threat landscape with significant enhancements in its latest versions, including 6.0, 6.4, and 6.5. The malware, originally developed by an individual known as XCoder, has evolved into a highly versatile tool capable of supporting a wide array of malicious activities on compromised Windows hosts. After XCoder abandoned the project and deleted their Telegram accounts, multiple threat actors began distributing cracked versions of XWorm, leading to a surge in its adoption and deployment. The new variants now support over 35 specialized plugins, enabling functionalities such as data theft from browsers and applications, keylogging, screen capture, clipboard monitoring, and even ransomware operations that can encrypt or decrypt files. XWorm’s modular design allows operators to issue commands from external servers, including downloading files, opening URLs, shutting down or restarting systems, and launching distributed denial-of-service (DDoS) attacks. The malware is primarily propagated through phishing emails and malicious websites, often using deceptive installers for legitimate software like ScreenConnect or Discord. Infection chains have been observed leveraging Windows shortcut (LNK) files and malicious JavaScript to execute PowerShell commands, sometimes bypassing Antimalware Scan Interface protections. The last version developed by XCoder, 5.6, contained a remote code execution vulnerability, which has been addressed in the newer releases. XWorm’s anti-analysis and anti-evasion mechanisms allow it to detect virtualized environments and cease execution to avoid detection. The malware’s popularity is underscored by campaigns that have resulted in tens of thousands of infections, with significant activity noted in countries such as Russia, the United States, India, Ukraine, and Turkey. Some threat actors have even used XWorm as a lure to target less-skilled cybercriminals, embedding backdoors to steal data from those attempting to use the malware. Security researchers, particularly from Trellix, have documented a marked increase in XWorm samples on platforms like VirusTotal since June, indicating widespread adoption among cybercriminals. The rapid evolution and prevalence of XWorm highlight the critical need for robust security measures, user awareness, and advanced detection capabilities to mitigate the risks posed by this adaptable malware. Organizations are advised to monitor for phishing campaigns, scrutinize suspicious attachments and downloads, and ensure endpoint protection solutions are updated to detect the latest XWorm variants. The ongoing development and distribution of XWorm by multiple actors suggest that it will remain a persistent threat in the cybercrime ecosystem.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Trellix publishes findings on resurfaced XWorm activity
Trellix publicly reported that XWorm had resurfaced with enhanced capabilities, broader plugin support, and ransomware functionality. The report also recommended layered defenses such as EDR and email, web, and network controls to block delivery and command-and-control activity.
Researchers identify code overlap between XWorm ransomware module and NoCry
Trellix identified code similarities between XWorm's ransomware plugin and the NoCry ransomware family. This technical finding linked the new encryption capability to previously known ransomware code patterns.
Updated XWorm variants add 35+ plugins and ransomware module
Analysis showed the resurfaced XWorm ecosystem supports more than 35 plugins for data theft, remote control, and other post-compromise actions. It also includes a ransomware component, Ransomware.dll, with configurable ransom notes and file-encryption behavior focused on user data.
Phishing campaigns distribute updated XWorm with new delivery chains
Researchers found newer XWorm versions being spread through phishing, using infection chains beyond traditional email attachments. Observed methods included JavaScript-to-PowerShell delivery that can bypass AMSI, as well as .LNK files and masquerading executables.
Threat actors begin using XWorm 6.0, 6.4, and 6.5 variants
Multiple threat actors adopted newer XWorm variants, including versions 6.0, 6.4, and 6.5, after the original project was abandoned. These versions expanded the malware's capabilities and were no longer tied to a single developer.
XWorm 5.6 released with an RCE flaw
The last version attributed to XCoder, XWorm 5.6, reportedly contained a remote code execution vulnerability. Later variants addressed this flaw while continuing the malware's development outside the original author's control.
XCoder abandons XWorm project and deletes Telegram accounts
The original XWorm developer, known as XCoder, stopped maintaining the malware and removed their Telegram accounts. This marked the end of the original development line before newer variants emerged under other actors.
VirusTotal submissions for XWorm increase from June
Researchers observed a rise in XWorm sample submissions to VirusTotal beginning in June, indicating renewed activity and broader circulation. The increase supported assessments that the malware had resurfaced in active campaigns.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Ransomware and Malware Campaigns Resurface with Enhanced Capabilities
Several distinct malware and ransomware campaigns have resurfaced with new variants and advanced features, targeting organizations globally. The XWorm remote access trojan (RAT) has re-emerged in its version 6.0, now featuring a modular architecture that includes a ransomware plugin and advanced evasion techniques. This new version of XWorm is designed to bypass security defenses more effectively, increasing the risk of successful intrusions and data encryption. Meanwhile, the WARMCOOKIE malware has also returned after a previous takedown, now equipped with stealth handlers and utilizing expired command-and-control (C2) certificates to evade detection. The use of expired certificates is a novel tactic that complicates network monitoring and threat hunting efforts. In a separate development, the Russian-speaking Lunar Spider cybercriminal group has launched a new wave of ransomware attacks, leveraging the Latrodectus V2 loader to deliver their payloads. This loader is known for its sophisticated delivery mechanisms and ability to bypass traditional security controls. The Lunar Spider group’s campaign demonstrates a continued evolution in ransomware delivery, with a focus on maximizing infection rates and minimizing detection. Concurrently, ransomware groups Qilin and Gunra have been actively targeting South Korean organizations, with Qilin listing nine asset management firms and an engineering services company as victims, and Gunra compromising a gas manufacturing and supply company. These attacks highlight a trend of ransomware operators focusing on critical infrastructure and financial sectors in South Korea. The resurgence of these malware and ransomware families underscores the persistent threat posed by cybercriminal groups who continuously adapt their tools and techniques. Security researchers have observed that the modularity and stealth features in these new variants make them more challenging to detect and remediate. Organizations are advised to update their threat intelligence feeds and enhance monitoring for indicators of compromise associated with XWorm, WARMCOOKIE, and Latrodectus. The use of expired C2 certificates and advanced evasion tactics signals a shift in attacker methodologies, requiring defenders to adapt their detection strategies. The targeting of multiple sectors, including finance, engineering, and energy, demonstrates the broad scope of current ransomware campaigns. Incident response teams should be prepared for multi-stage attacks that leverage loaders like Latrodectus to deploy ransomware. The ongoing activity from groups such as Lunar Spider, Qilin, and Gunra indicates a high level of coordination and resourcefulness among threat actors. The rapid re-emergence of previously disrupted malware families suggests that takedown efforts may only provide temporary relief. Security teams should prioritize patching, network segmentation, and user awareness training to mitigate the risk of infection. Collaboration with threat intelligence providers can offer early warning of emerging threats and support proactive defense measures. The evolving landscape of ransomware and malware campaigns requires continuous vigilance and adaptation by defenders.
Mar 21, 2026
XWorm RAT Expands as a Leading Malware-as-a-Service Threat
Trellix reported that **XWorm** has emerged as one of the most prominent remote access trojans in the underground malware market, gaining traction through a **malware-as-a-service** model that lowers the barrier to entry for cybercriminals. The malware is marketed as a flexible, feature-rich RAT that supports common post-compromise activity, giving operators capabilities typically associated with broader criminal toolkits rather than a single commodity implant. The report says XWorm’s rapid adoption is being driven by active underground promotion, ease of use, and functionality that appeals to both inexperienced and established threat actors. Its growth underscores how commercialized malware ecosystems are accelerating the spread of scalable intrusion tools, increasing the likelihood of credential theft, persistent access, surveillance, and follow-on attacks across enterprise environments.
Jun 22, 2026
Multi-stage malware delivery chains distributing XWorm and other RATs
Researchers reported evolving **multi-stage, script-heavy infection chains** used to deliver remote access trojans, including **XWorm**, **AsyncRAT**, and **Xeno RAT**. Securonix described a campaign dubbed **VOID#GEIST** that starts from phishing-delivered batch scripts fetched from *TryCloudflare* infrastructure, then chains additional batch/PowerShell stages, deploys a legitimate embedded Python runtime, decrypts shellcode, and executes it filelessly by injecting into `explorer.exe` using **Early Bird APC injection**, reducing disk artifacts and making each stage appear benign in isolation. Separately, SANS ISC documented another **XWorm** wave using an obfuscated JavaScript-to-PowerShell loader chain that drops a temporary PowerShell script (e.g., `C:\Temp\ps_...ps1`), decodes additional in-memory PowerShell, and uses a DLL exporting `ProcessHollowing` to inject the XWorm client into a .NET compiler process. The write-up included configuration and IOCs such as a C2 endpoint `204[.]10[.]160[.]190:7003`, mutex `Cqu1F0NxohroKG5U`, and multiple SHA-256 hashes for the JavaScript, PowerShell, DLL loader, and XWorm payload, indicating continued high-volume distribution with frequently changing delivery techniques.
Mar 21, 2026