XWorm 6.0 Malware Resurgence with Enhanced Plugins and Ransomware Capabilities
XWorm, a modular remote access trojan (RAT) first observed in 2022, has re-emerged in the threat landscape with significant enhancements in its latest versions, including 6.0, 6.4, and 6.5. The malware, originally developed by an individual known as XCoder, has evolved into a highly versatile tool capable of supporting a wide array of malicious activities on compromised Windows hosts. After XCoder abandoned the project and deleted their Telegram accounts, multiple threat actors began distributing cracked versions of XWorm, leading to a surge in its adoption and deployment. The new variants now support over 35 specialized plugins, enabling functionalities such as data theft from browsers and applications, keylogging, screen capture, clipboard monitoring, and even ransomware operations that can encrypt or decrypt files. XWorm’s modular design allows operators to issue commands from external servers, including downloading files, opening URLs, shutting down or restarting systems, and launching distributed denial-of-service (DDoS) attacks. The malware is primarily propagated through phishing emails and malicious websites, often using deceptive installers for legitimate software like ScreenConnect or Discord. Infection chains have been observed leveraging Windows shortcut (LNK) files and malicious JavaScript to execute PowerShell commands, sometimes bypassing Antimalware Scan Interface protections. The last version developed by XCoder, 5.6, contained a remote code execution vulnerability, which has been addressed in the newer releases. XWorm’s anti-analysis and anti-evasion mechanisms allow it to detect virtualized environments and cease execution to avoid detection. The malware’s popularity is underscored by campaigns that have resulted in tens of thousands of infections, with significant activity noted in countries such as Russia, the United States, India, Ukraine, and Turkey. Some threat actors have even used XWorm as a lure to target less-skilled cybercriminals, embedding backdoors to steal data from those attempting to use the malware. Security researchers, particularly from Trellix, have documented a marked increase in XWorm samples on platforms like VirusTotal since June, indicating widespread adoption among cybercriminals. The rapid evolution and prevalence of XWorm highlight the critical need for robust security measures, user awareness, and advanced detection capabilities to mitigate the risks posed by this adaptable malware. Organizations are advised to monitor for phishing campaigns, scrutinize suspicious attachments and downloads, and ensure endpoint protection solutions are updated to detect the latest XWorm variants. The ongoing development and distribution of XWorm by multiple actors suggest that it will remain a persistent threat in the cybercrime ecosystem.
Timeline
Oct 6, 2025
Trellix publishes findings on resurfaced XWorm activity
Trellix publicly reported that XWorm had resurfaced with enhanced capabilities, broader plugin support, and ransomware functionality. The report also recommended layered defenses such as EDR and email, web, and network controls to block delivery and command-and-control activity.
Oct 6, 2025
Researchers identify code overlap between XWorm ransomware module and NoCry
Trellix identified code similarities between XWorm's ransomware plugin and the NoCry ransomware family. This technical finding linked the new encryption capability to previously known ransomware code patterns.
Oct 6, 2025
Updated XWorm variants add 35+ plugins and ransomware module
Analysis showed the resurfaced XWorm ecosystem supports more than 35 plugins for data theft, remote control, and other post-compromise actions. It also includes a ransomware component, Ransomware.dll, with configurable ransom notes and file-encryption behavior focused on user data.
Oct 6, 2025
Phishing campaigns distribute updated XWorm with new delivery chains
Researchers found newer XWorm versions being spread through phishing, using infection chains beyond traditional email attachments. Observed methods included JavaScript-to-PowerShell delivery that can bypass AMSI, as well as .LNK files and masquerading executables.
Oct 6, 2025
Threat actors begin using XWorm 6.0, 6.4, and 6.5 variants
Multiple threat actors adopted newer XWorm variants, including versions 6.0, 6.4, and 6.5, after the original project was abandoned. These versions expanded the malware's capabilities and were no longer tied to a single developer.
Oct 6, 2025
XWorm 5.6 released with an RCE flaw
The last version attributed to XCoder, XWorm 5.6, reportedly contained a remote code execution vulnerability. Later variants addressed this flaw while continuing the malware's development outside the original author's control.
Oct 6, 2025
XCoder abandons XWorm project and deletes Telegram accounts
The original XWorm developer, known as XCoder, stopped maintaining the malware and removed their Telegram accounts. This marked the end of the original development line before newer variants emerged under other actors.
Jun 1, 2025
VirusTotal submissions for XWorm increase from June
Researchers observed a rise in XWorm sample submissions to VirusTotal beginning in June, indicating renewed activity and broader circulation. The increase supported assessments that the malware had resurfaced in active campaigns.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Multiple Ransomware and Malware Campaigns Resurface with Enhanced Capabilities
Several distinct malware and ransomware campaigns have resurfaced with new variants and advanced features, targeting organizations globally. The XWorm remote access trojan (RAT) has re-emerged in its version 6.0, now featuring a modular architecture that includes a ransomware plugin and advanced evasion techniques. This new version of XWorm is designed to bypass security defenses more effectively, increasing the risk of successful intrusions and data encryption. Meanwhile, the WARMCOOKIE malware has also returned after a previous takedown, now equipped with stealth handlers and utilizing expired command-and-control (C2) certificates to evade detection. The use of expired certificates is a novel tactic that complicates network monitoring and threat hunting efforts. In a separate development, the Russian-speaking Lunar Spider cybercriminal group has launched a new wave of ransomware attacks, leveraging the Latrodectus V2 loader to deliver their payloads. This loader is known for its sophisticated delivery mechanisms and ability to bypass traditional security controls. The Lunar Spider group’s campaign demonstrates a continued evolution in ransomware delivery, with a focus on maximizing infection rates and minimizing detection. Concurrently, ransomware groups Qilin and Gunra have been actively targeting South Korean organizations, with Qilin listing nine asset management firms and an engineering services company as victims, and Gunra compromising a gas manufacturing and supply company. These attacks highlight a trend of ransomware operators focusing on critical infrastructure and financial sectors in South Korea. The resurgence of these malware and ransomware families underscores the persistent threat posed by cybercriminal groups who continuously adapt their tools and techniques. Security researchers have observed that the modularity and stealth features in these new variants make them more challenging to detect and remediate. Organizations are advised to update their threat intelligence feeds and enhance monitoring for indicators of compromise associated with XWorm, WARMCOOKIE, and Latrodectus. The use of expired C2 certificates and advanced evasion tactics signals a shift in attacker methodologies, requiring defenders to adapt their detection strategies. The targeting of multiple sectors, including finance, engineering, and energy, demonstrates the broad scope of current ransomware campaigns. Incident response teams should be prepared for multi-stage attacks that leverage loaders like Latrodectus to deploy ransomware. The ongoing activity from groups such as Lunar Spider, Qilin, and Gunra indicates a high level of coordination and resourcefulness among threat actors. The rapid re-emergence of previously disrupted malware families suggests that takedown efforts may only provide temporary relief. Security teams should prioritize patching, network segmentation, and user awareness training to mitigate the risk of infection. Collaboration with threat intelligence providers can offer early warning of emerging threats and support proactive defense measures. The evolving landscape of ransomware and malware campaigns requires continuous vigilance and adaptation by defenders.
1 months ago
Multi-stage malware delivery chains distributing XWorm and other RATs
Researchers reported evolving **multi-stage, script-heavy infection chains** used to deliver remote access trojans, including **XWorm**, **AsyncRAT**, and **Xeno RAT**. Securonix described a campaign dubbed **VOID#GEIST** that starts from phishing-delivered batch scripts fetched from *TryCloudflare* infrastructure, then chains additional batch/PowerShell stages, deploys a legitimate embedded Python runtime, decrypts shellcode, and executes it filelessly by injecting into `explorer.exe` using **Early Bird APC injection**, reducing disk artifacts and making each stage appear benign in isolation. Separately, SANS ISC documented another **XWorm** wave using an obfuscated JavaScript-to-PowerShell loader chain that drops a temporary PowerShell script (e.g., `C:\Temp\ps_...ps1`), decodes additional in-memory PowerShell, and uses a DLL exporting `ProcessHollowing` to inject the XWorm client into a .NET compiler process. The write-up included configuration and IOCs such as a C2 endpoint `204[.]10[.]160[.]190:7003`, mutex `Cqu1F0NxohroKG5U`, and multiple SHA-256 hashes for the JavaScript, PowerShell, DLL loader, and XWorm payload, indicating continued high-volume distribution with frequently changing delivery techniques.
1 months ago
XWorm campaigns used AMSI bypasses and linked malware delivery to carding operations
Researchers detailed two XWorm delivery operations that relied on multi-stage loaders, in-memory execution, and **AMSI bypasses** to evade detection. In one campaign attributed to **TAG-124**, compromised legitimate websites redirected selected victims into a PowerShell chain that patched `clr.dll` to disable `AmsiScanBuffer`, suppressed PowerShell history, disabled ETW, fingerprinted hosts, and pulled an XOR-encrypted payload from `sellmeyourbiz[.]com`, ultimately delivering **XWorm RAT**. Breakglass reported low initial detection rates and observed victim-specific beaconing under `/customers/`, with encoded host details including hostname, domain, username, process ID, campaign ID, and hardware UUID. A separate three-stage intrusion used a VBScript lure, `Projet20Immobilier.vbs`, masquerading as a French real-estate document to deploy **XWorm V5.6** through a .NET loader and process injection into `InstallUtil.exe`. Breakglass assessed the operator was likely Brazilian based on Portuguese-language code artifacts and found the same infrastructure also hosted a Portuguese carding marketplace, **Iluminat Store infosCC**, suggesting a vertically integrated criminal pipeline that steals credentials and payment data with XWorm and monetizes them directly through fraud services. The malware infrastructure included servers on DigitalOcean and Contabo, and the sample used the default XWorm encryption key `<123456789>`, exposing weak operator OPSEC despite capabilities that included keylogging, screenshot capture, DNS hijacking, persistence, and ransomware plugin support.
1 weeks ago