XWorm campaigns used AMSI bypasses and linked malware delivery to carding operations
Researchers detailed two XWorm delivery operations that relied on multi-stage loaders, in-memory execution, and AMSI bypasses to evade detection. In one campaign attributed to TAG-124, compromised legitimate websites redirected selected victims into a PowerShell chain that patched clr.dll to disable AmsiScanBuffer, suppressed PowerShell history, disabled ETW, fingerprinted hosts, and pulled an XOR-encrypted payload from sellmeyourbiz[.]com, ultimately delivering XWorm RAT. Breakglass reported low initial detection rates and observed victim-specific beaconing under /customers/, with encoded host details including hostname, domain, username, process ID, campaign ID, and hardware UUID.
A separate three-stage intrusion used a VBScript lure, Projet20Immobilier.vbs, masquerading as a French real-estate document to deploy XWorm V5.6 through a .NET loader and process injection into InstallUtil.exe. Breakglass assessed the operator was likely Brazilian based on Portuguese-language code artifacts and found the same infrastructure also hosted a Portuguese carding marketplace, Iluminat Store infosCC, suggesting a vertically integrated criminal pipeline that steals credentials and payment data with XWorm and monetizes them directly through fraud services. The malware infrastructure included servers on DigitalOcean and Contabo, and the sample used the default XWorm encryption key <123456789>, exposing weak operator OPSEC despite capabilities that included keylogging, screenshot capture, DNS hijacking, persistence, and ransomware plugin support.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Breakglass links XWorm V5.6 delivery to Brazilian operator and carding shop
Breakglass analyzed a separate three-stage XWorm V5.6 infection chain using a VBScript lure, a .NET loader, and process injection into InstallUtil.exe, and assessed the operator was likely Brazilian based on Portuguese-language artifacts. The report also linked the malware infrastructure to a Portuguese-language carding marketplace, suggesting a vertically integrated cybercrime pipeline for stealing and monetizing credentials and payment data.
KongTuke campaign delivers XWorm RAT via multi-stage PowerShell chain
In March 2026, compromised legitimate websites redirected selected victims into a multi-stage PowerShell infection chain attributed to KongTuke / TAG-124 that ultimately delivered XWorm RAT from sellmeyourbiz[.]com. Breakglass identified Stage 2 as a coordinated AMSI-bypassing CLR patcher plus an obfuscated stager that also disabled ETW, fingerprinted hosts, and fetched an XOR-encrypted payload in memory.
KongTuke infrastructure receives TLS certificate
A Let's Encrypt certificate was issued for sellmeyourbiz[.]com, infrastructure later used in the KongTuke / TAG-124 infection chain. The report says the infrastructure was rapidly weaponized after certificate issuance.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
XWorm V5.6 Meets Carding Shop: Inside a Brazilian Operator's Vertically Integrated Cybercrime Pipeline - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceKongTuke Stage 2 Dissected: From CLR Memory Patching to XWorm RAT Delivery - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multi-stage malware delivery chains distributing XWorm and other RATs
Researchers reported evolving **multi-stage, script-heavy infection chains** used to deliver remote access trojans, including **XWorm**, **AsyncRAT**, and **Xeno RAT**. Securonix described a campaign dubbed **VOID#GEIST** that starts from phishing-delivered batch scripts fetched from *TryCloudflare* infrastructure, then chains additional batch/PowerShell stages, deploys a legitimate embedded Python runtime, decrypts shellcode, and executes it filelessly by injecting into `explorer.exe` using **Early Bird APC injection**, reducing disk artifacts and making each stage appear benign in isolation. Separately, SANS ISC documented another **XWorm** wave using an obfuscated JavaScript-to-PowerShell loader chain that drops a temporary PowerShell script (e.g., `C:\Temp\ps_...ps1`), decodes additional in-memory PowerShell, and uses a DLL exporting `ProcessHollowing` to inject the XWorm client into a .NET compiler process. The write-up included configuration and IOCs such as a C2 endpoint `204[.]10[.]160[.]190:7003`, mutex `Cqu1F0NxohroKG5U`, and multiple SHA-256 hashes for the JavaScript, PowerShell, DLL loader, and XWorm payload, indicating continued high-volume distribution with frequently changing delivery techniques.
Mar 21, 2026
Multiple Malware Campaigns Abuse Phishing and Legitimate Cloud Services to Compromise Windows and Linux Systems
Reporting describes several unrelated but contemporaneous malware operations targeting both Windows and Linux environments. In Taiwan, FortiGuard Labs observed targeted phishing using tax and e-invoice lures to deliver **Winos 4.0 (ValleyRat)** and plugins, with delivery chains including malicious `.LNK` files, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud-hosted infrastructure that reduces the effectiveness of static blocklists. Separately, Cato CTRL reported a new Windows loader, **Foxveil**, that stages and retrieves shellcode via trusted platforms (**Cloudflare Pages**, **Netlify**, and **Discord attachments**) and executes payloads using techniques including **Early Bird APC injection** (often into a fake `svchost.exe`) or self-injection, while persisting via Windows services or masqueraded binaries dropped into `SysWOW64`. Additional reporting covers distinct campaigns in other regions and platforms. A LATAM-focused intrusion chain uses fake bank receipt lures (double-extension such as `.pdf.js`) to deliver **XWorm v5.6**, employing oversized/obfuscated JavaScript, WMI-based process creation (`Win32_Process`) to launch hidden PowerShell, and abuse of a hardcoded **Cloudinary** URL for staging—capabilities consistent with credential theft and enabling follow-on ransomware. Trellix analysis described a separate **Monero** cryptomining operation distributed via pirated software installers that propagates through **USB/external drives** to reach even air-gapped systems, using multi-component “watchdog” self-healing behavior and aggressive defense-evasion. On Linux, LevelBlue detailed a new **SysUpdate** variant (packed `ELF64`) that performs host reconnaissance and uses strong C2 encryption; researchers built a **Unicorn Engine**-based emulation tool to reproduce key generation/encryption routines and decrypt captured C2 traffic for investigation and detection engineering.
Mar 21, 2026
ResolverRAT, LummaStealer, and Amadey Linked in Multi-Tool Cybercrime Campaign
Researchers tied **ResolverRAT**, **LummaStealer**, and an **Amadey** botnet cluster to an active financially motivated campaign that has operated since at least late 2025 and uses fake browser update lures, staged loaders, and legitimate remote management tools for persistence. One analyzed chain used a Donut-decrypted, triple-protected `.NET` loader to deliver both ResolverRAT and LummaStealer at once, combining persistent remote access with credential and cryptocurrency wallet theft. The malware used layered obfuscation including .NET Reactor, custom transformations, AES-256-CBC, GZip, process hollowing, fragmented WinAPI reconstruction, forged compile timestamps, encrypted resource blobs, and certificate pinning, while operators rotated infrastructure across dozens of IPs, multiple domains, and hosting providers in Russia, the Netherlands, Germany, Poland, and elsewhere. Investigators also identified a fake Microsoft-themed domain, **pat[.]microsoft-telemetry[.]at**, and newly activated infrastructure such as **kampf[.]huehnchenfarm[.]ru** tied to the same ecosystem. A parallel March 2026 investigation linked the **fbf543** Amadey campaign to more than 50 payloads spanning at least 13 malware families, including Vidar, QuasarRAT, XWorm, AsyncRAT, Smoke Loader, and LummaStealer, with delivery through fake installers and hosting on infrastructure centered on **Omegatech LTD (AS202412)** and related abusive networks. Analysts found that the operators also abused nine legitimate, signed RMM tools from **ConnectWise, DattoRMM, Atera, GoToResolve, and N-able**, configuring them to beacon to attacker-controlled relays rather than compromising the vendors themselves. A separate Go-based loader unpacked LummaStealer with AES, RC4, and QuickLZ before hollowing **AppLaunch.exe**, reinforcing a playbook built around stealthy loaders, infostealer deployment, redundant access channels, and monetization consistent with an initial access broker or ransomware affiliate operation.
May 24, 2026