XWorm 6.0 Malware Resurgence with Enhanced Plugins and Ransomware Capabilities
XWorm, a modular remote access trojan (RAT) first observed in 2022, has re-emerged in the threat landscape with significant enhancements in its latest versions, including 6.0, 6.4, and 6.5. The malware, originally developed by an individual known as XCoder, has evolved into a highly versatile tool capable of supporting a wide array of malicious activities on compromised Windows hosts. After XCoder abandoned the project and deleted their Telegram accounts, multiple threat actors began distributing cracked versions of XWorm, leading to a surge in its adoption and deployment. The new variants now support over 35 specialized plugins, enabling functionalities such as data theft from browsers and applications, keylogging, screen capture, clipboard monitoring, and even ransomware operations that can encrypt or decrypt files. XWorm’s modular design allows operators to issue commands from external servers, including downloading files, opening URLs, shutting down or restarting systems, and launching distributed denial-of-service (DDoS) attacks. The malware is primarily propagated through phishing emails and malicious websites, often using deceptive installers for legitimate software like ScreenConnect or Discord. Infection chains have been observed leveraging Windows shortcut (LNK) files and malicious JavaScript to execute PowerShell commands, sometimes bypassing Antimalware Scan Interface protections. The last version developed by XCoder, 5.6, contained a remote code execution vulnerability, which has been addressed in the newer releases. XWorm’s anti-analysis and anti-evasion mechanisms allow it to detect virtualized environments and cease execution to avoid detection. The malware’s popularity is underscored by campaigns that have resulted in tens of thousands of infections, with significant activity noted in countries such as Russia, the United States, India, Ukraine, and Turkey. Some threat actors have even used XWorm as a lure to target less-skilled cybercriminals, embedding backdoors to steal data from those attempting to use the malware. Security researchers, particularly from Trellix, have documented a marked increase in XWorm samples on platforms like VirusTotal since June, indicating widespread adoption among cybercriminals. The rapid evolution and prevalence of XWorm highlight the critical need for robust security measures, user awareness, and advanced detection capabilities to mitigate the risks posed by this adaptable malware. Organizations are advised to monitor for phishing campaigns, scrutinize suspicious attachments and downloads, and ensure endpoint protection solutions are updated to detect the latest XWorm variants. The ongoing development and distribution of XWorm by multiple actors suggest that it will remain a persistent threat in the cybercrime ecosystem.
Sources
Related Stories
Multiple Ransomware and Malware Campaigns Resurface with Enhanced Capabilities
Several distinct malware and ransomware campaigns have resurfaced with new variants and advanced features, targeting organizations globally. The XWorm remote access trojan (RAT) has re-emerged in its version 6.0, now featuring a modular architecture that includes a ransomware plugin and advanced evasion techniques. This new version of XWorm is designed to bypass security defenses more effectively, increasing the risk of successful intrusions and data encryption. Meanwhile, the WARMCOOKIE malware has also returned after a previous takedown, now equipped with stealth handlers and utilizing expired command-and-control (C2) certificates to evade detection. The use of expired certificates is a novel tactic that complicates network monitoring and threat hunting efforts. In a separate development, the Russian-speaking Lunar Spider cybercriminal group has launched a new wave of ransomware attacks, leveraging the Latrodectus V2 loader to deliver their payloads. This loader is known for its sophisticated delivery mechanisms and ability to bypass traditional security controls. The Lunar Spider group’s campaign demonstrates a continued evolution in ransomware delivery, with a focus on maximizing infection rates and minimizing detection. Concurrently, ransomware groups Qilin and Gunra have been actively targeting South Korean organizations, with Qilin listing nine asset management firms and an engineering services company as victims, and Gunra compromising a gas manufacturing and supply company. These attacks highlight a trend of ransomware operators focusing on critical infrastructure and financial sectors in South Korea. The resurgence of these malware and ransomware families underscores the persistent threat posed by cybercriminal groups who continuously adapt their tools and techniques. Security researchers have observed that the modularity and stealth features in these new variants make them more challenging to detect and remediate. Organizations are advised to update their threat intelligence feeds and enhance monitoring for indicators of compromise associated with XWorm, WARMCOOKIE, and Latrodectus. The use of expired C2 certificates and advanced evasion tactics signals a shift in attacker methodologies, requiring defenders to adapt their detection strategies. The targeting of multiple sectors, including finance, engineering, and energy, demonstrates the broad scope of current ransomware campaigns. Incident response teams should be prepared for multi-stage attacks that leverage loaders like Latrodectus to deploy ransomware. The ongoing activity from groups such as Lunar Spider, Qilin, and Gunra indicates a high level of coordination and resourcefulness among threat actors. The rapid re-emergence of previously disrupted malware families suggests that takedown efforts may only provide temporary relief. Security teams should prioritize patching, network segmentation, and user awareness training to mitigate the risk of infection. Collaboration with threat intelligence providers can offer early warning of emerging threats and support proactive defense measures. The evolving landscape of ransomware and malware campaigns requires continuous vigilance and adaptation by defenders.
5 months ago
Multi-stage malware delivery chains distributing XWorm and other RATs
Researchers reported evolving **multi-stage, script-heavy infection chains** used to deliver remote access trojans, including **XWorm**, **AsyncRAT**, and **Xeno RAT**. Securonix described a campaign dubbed **VOID#GEIST** that starts from phishing-delivered batch scripts fetched from *TryCloudflare* infrastructure, then chains additional batch/PowerShell stages, deploys a legitimate embedded Python runtime, decrypts shellcode, and executes it filelessly by injecting into `explorer.exe` using **Early Bird APC injection**, reducing disk artifacts and making each stage appear benign in isolation. Separately, SANS ISC documented another **XWorm** wave using an obfuscated JavaScript-to-PowerShell loader chain that drops a temporary PowerShell script (e.g., `C:\Temp\ps_...ps1`), decodes additional in-memory PowerShell, and uses a DLL exporting `ProcessHollowing` to inject the XWorm client into a .NET compiler process. The write-up included configuration and IOCs such as a C2 endpoint `204[.]10[.]160[.]190:7003`, mutex `Cqu1F0NxohroKG5U`, and multiple SHA-256 hashes for the JavaScript, PowerShell, DLL loader, and XWorm payload, indicating continued high-volume distribution with frequently changing delivery techniques.
1 weeks ago
Recent Malware Campaigns Targeting Windows Users via Social Engineering and Fake Installers
Multiple malware campaigns have recently targeted Windows users through a variety of social engineering tactics and deceptive file distribution methods. In Korea, attackers leveraged popular webhard file-sharing services to distribute the xRAT (QuasarRAT) remote access trojan disguised as adult games. Victims were enticed to download compressed files that appeared to be legitimate games, but actually contained sophisticated malware components designed to evade detection and establish persistence on compromised systems. Meanwhile, a separate campaign in Brazil saw the Astaroth banking trojan propagate via WhatsApp, where a worm-like component harvested contact lists and automatically sent malicious ZIP files to spread the infection further. This campaign combined Python-based propagation with traditional credential-stealing modules focused on financial fraud. Other notable campaigns included the use of fake WinRAR installers distributed through Chinese websites, which employed multi-stage payloads to select and deploy the most effective malware for each victim. Additionally, phishing attacks impersonating DocuSign lured users into downloading stealthy malware through access code-protected web pages, using obfuscated PowerShell commands and in-memory payload decryption to bypass security controls. These incidents highlight the increasing sophistication of malware delivery mechanisms, the use of trusted brands and platforms for social engineering, and the global reach of threat actors targeting Windows environments through both email and messaging applications.
2 months ago