Cybersecurity researchers are illustratively turning the evolution of Xworm malware into a versatile tool to support a wide range of malicious actions on compromised hosts.
“Xworm’s modular design is built around a set of specialized components known as core clients and plugins,” Trellix researchers Niranjan Hegde and Sijo Jacob said in an analysis published last week. “These plugins are additional payloads designed to perform certain harmful actions once the core malware is activated.”
Xworm was first observed in 2022 and linked to a threat actor named EvilCoder, and is a Swiss Army knife of malware that can promote data theft, keylogging, screen capture, persistence and even ransomware operations. This promotes malicious ScreenConnect installers primarily through phishing emails and fake sites.
Other tools that developers advertise include .NET-based malware builders, remote access trojans called Xbinder, and programs that can bypass user account control (UAC) restrictions on Windows systems. In recent years, Xworm has been led by an online persona called Xcoder.
In a report published last month, Trellix explains in detail the Xworm infection chain that ran a PowerShell command using Windows Shortcuts (LNK) files distributed via phishing emails to incorrectly embellish the inconsistency of harmless TXT files.
Xworm incorporates various anti-analysis and prevention mechanisms to see subtle signs of a virtualized environment and, if so, stop its execution immediately. Malware modularity means that various commands can be issued from external servers to perform actions such as shutting down or restarting the system, downloading files, opening URLs, initiating a DDOS attack, and more.
“This rapid evolution of Xworm within a threat situation and its current prevalence highlights the critical importance of robust security measures to combat ever-changing threats,” the company said.
Xworm’s operations have witnessed the share of set-offs over the past year. Most importantly, Xcoder’s decision to suddenly delete telegram accounts in the second half of 2024, leaving the future of the tool in Limbo. However, since then, it has been observed that threat actors will distribute a cracked version of Xworm version 5.6, containing malware that infects other threat actors that may download it.
This included attempts where unknown threat actors tricked the script’s children into downloading the Trojanized version of Xworm Rat Builder via GitHub repository, file sharing services, telegram channels and YouTube videos to compromise more than 18,459 devices worldwide.
This is complemented by attackers who distribute modified versions of Xworm. One of them is the Chinese variant code name Xspy. It is also discovering a malware Remote Code Execution (RCE) vulnerability that allows attackers to use encryption keys for attackers to execute arbitrary code.
While Xcoder’s apparent abandonment of Xworm increased the possibility that the project was “permanently closed”, Trellix discovered a threat actor named Xcodertools offering Xworm 6.0 on the Cybercrime Forum on June 4, 2025, explaining the “fully recoded” version, for $500 for lifetime access. It is unclear whether the latest version is currently the job of someone else who is leveraging the reputation of the same developer or malware.
The campaign to distribute Xworm 6.0 on Wild uses malicious JavaScript files in phishing emails. This is done to display the decoy PDF document when opened, PowerShell code runs in the background, and inject malware into legitimate Windows processes like regsvcs.exe without raising attention.
XWorm V6.0 is designed to connect to a C2 server at 94.159.113[.]On 64 port 4411, it supports a command called “plugin” to run more than 35 DLL payloads in memory on infected hosts and perform various tasks.
“When the C2 server sends the command ‘plugin’, it contains the SHA-256 hash of the plugin DLL file and the arguments for that call,” explained Trellix. “The client then uses a hash to check if the plugin was previously received. If no key is found, the client sends a “sendplugin” command along with the hash to the C2 server. ”
“The C2 server then responds with the command SavePlugin’, along with a Base64-encoded string containing the plugin and SHA-256 hash. Once the plugin is received and decoded, the client loads the plugin into memory.”
Below is a list of some of the supported plugins for Xworm 6.x (6.0, 6.4, and 6.5) –
Remotedesktop.dll creates a remote session that interacts with the victim’s machine. Windowsupdate.dll, stealer.dll, recover.dll, merged.dll, chrom.dll, and systemcheck.merged.dll, Windows product key, Wi-Fi password, web browser (steals victim data that stores credentials from web browsers such as Chrome’s App-Bound Encipting, like Chrome’s App-Bound Encipting) FileManager.dll, operator shell.dll facilitates file system access and manipulation capabilities, and executes system commands sent by the operator in the hidden cmd.exe process. Informations.dll, collects system information about the victim’s machine. Record the victim and check if the infected machine is the actual tcpconnections.dll, activewindows.dll, and startupmanager.dll. Nocry Ransomware) rootkit.dll, to install the modified R77 rootkit reseturvival.dll, to withstand device reset via changes to the Windows registry
In addition to dropping custom tools, Xworm 6.0 infection also serves as a conduit for other malware families such as DarkCloud Stealer, Hworm (VBS-based rat), Snake Keylogger, Coin Miner, Pure Malware, Shadowsniff Stealer (Open Source Last Steel), Phantom Stealer, Phantrone Stealer, Remcoseer, and other malware families.
“A further investigation of DLL files reveals multiple Xworm V6.0 builders on Virustotal that are infected with Xworm malware, suggesting that Xworm Rat operators are being damaged by Xworm Malware,” Trellix said.
“An unexpected return of Xworm V6, armed with versatile plugins for everything from keylogs and credential theft to ransomware, serves as a powerful reminder that the malware threat is not really gone.”
Source link
