XWorm is a dangerous remote access trojan (RAT) with ransomware capabilities and over 35 plugins. Learn how XWorm works, real-world campaigns, and how Xcitium’s ZeroDwell isolation defends against this evolving threat.
Introduction
XWorm is a versatile malware first seen in 2022. It works as a remote access trojan with many modules. Attackers use it to steal data, record keystrokes, access webcams, and deploy ransomware. It also supports DDoS attacks and cryptocurrency theft. XWorm includes a core backdoor and over 35 plugins. Its flexible design made it popular among threat actors. Usage spiked again after a major 2025 update. This post reviews XWorm’s evolution, capabilities, key campaigns, and defense strategies.
XWorm V6: The Unexpected Resurrection of a Notorious RAT
XWorm’s development and distribution have had a turbulent history. The malware was originally sold by a developer known as “XCoder” via underground forums and Telegram channels. Throughout 2022 and 2023, XCoder released multiple versions (v2, v3, up to v5.6), with the RAT gaining a reputation as a highly effective threat due to its capabilities and frequent updates. However, in late 2024 XCoder unexpectedly abandoned the project – deleting their online accounts and leaving XWorm at version 5.6 as the final official release.
This sudden absence led to chaos in the cybercriminal community. Other hackers began sharing cracked versions of XWorm 5.6 (often bundled with hidden malware that infected those would-be users). To make matters worse, a critical remote code execution (RCE) vulnerability was discovered in XWorm v5.6, allowing anyone with the malware’s command-and-control key to run arbitrary code on servers using that version. Many assumed XWorm’s story was over.
However, XWorm made a dramatic resurgence in mid-2025. On June 4, 2025, a new user “XCoderTools” appeared on hacking forums to announce XWorm RAT V6.0 – advertised as a fully re-coded version with the RCE flaw fixed and numerous enhancements. Access to XWorm V6 was offered for a one-time lifetime subscription of $500. It’s unclear if “XCoderTools” was the original developer returning or a new actor, but the impact was immediate.
Security researchers observed rapid adoption of XWorm V6 in the wild, with a surge of new malware samples appearing on VirusTotal after June 2025. The latest variants (v6.0 through v6.5) have been embraced by multiple threat actors and boast an array of updated plugins supporting data theft, system control, and file encryption. In short, XWorm is back – more potent than before – and actively being deployed in cyber attacks around the world.
How XWorm Malware Works
XWorm employs a sophisticated, multi-stage infection process and an array of stealth techniques to compromise systems. Once it infects a machine, the malware grants attackers extensive control over the device. Here’s an overview of how XWorm typically works:
- Initial Access & Delivery: XWorm spreads via phishing emails with malicious attachments or links, often using business-themed documents like invoices. Early campaigns used PDFs or DOCX with malicious URLs. Recent campaigns use Office macros, .LNK, or .xlam files. These social engineering tricks entice victims to click, starting the infection chain.
- Execution & Stealth Evasion: XWorm executes in multiple stages to evade detection. Malicious scripts or macros launch PowerShell, which disables AMSI and loads the payload. It injects into legitimate processes like RegSvcs.exe for fileless execution. Heavy obfuscation and API misuse hide its activity, making detection by traditional defenses difficult.
- Remote Control & Malicious Capabilities: Once active, XWorm connects to its C2 server for instructions. It can steal passwords, browser data, cryptocurrency keys, and clipboard contents. Keylogging and webcam/microphone access allow real-time surveillance. Plugins enable remote shell, remote desktop, DDoS, and malware deployment. The ransomware module encrypts files and drops “How To Decrypt My Files.html,” sometimes changing the desktop wallpaper.
- Persistence & Defense Evasion: XWorm persists via Registry Run keys, startup items, or scheduled tasks. Version 6 abuses Windows Reset using install.cmd and ResetConfig.xml. It disables security tools, adds Defender exclusions, and may uninstall antivirus services. New admin accounts like “system32” support RDP access. These techniques let XWorm survive reboots and remain hidden until manually removed.
Notable XWorm Malware Campaigns
Business Email Lures (2023)
In March-April 2023, a phishing campaign was noticed spreading emails with business-related subjects (e.g., quotes, invoices, and purchase orders) to spread the XWorm malware. Malware attachments in PDF, DOCX, and RTF format held links to the attackers’ Blogspot pages, which, when triggered, led to obfuscated scripts that downloaded and executed XWorm malware versions 2.1 and 3.1. It was interesting to note that a malware sample in this campaign contained hard-coded Bitcoin addresses and clipboard-hijacking logic aimed at stealing Bitcoin, and the same wallet ID was found in the 2021 Agent Tesla malware campaign, suggesting the same bad actor had repurposed the malware family with new nicknames.
Also, the campaign demonstrated XWorm malware’s evasion mechanisms in dealing with security defenses—a PowerShell-loader in XWorm cleaned up any evidence (e.g., removal of bait documents), bypassed AMSI, turned off Defender, and injected the XWorm malware into other process tokens to run stealthily. These functionalities helped attackers compromise several organizations, although security software such as Trellix Email Security intercepted most of the phishing emails.
Malware for Script Kiddies (2024)
XWorm garnered extreme popularity, becoming bait for less skilled attackers. In an operation detected in 2024, a suspect disseminated “cracked” XWorm malware builder tools that turned out to be backdoors in disguise, targeting those who ran the tools. Ironically, XWorm was itself deployed as bait in this campaign, leading to 18,459 infections in the global operation where the most numerous cases appeared in Russia, the United States, India, Ukraine, and Turkey. Evidently, thousands of would-be cyber attackers using XWorm malware found themselves carrying the Trojan instead. The event demonstrated how popular XWorm was as well as how the cyber crime landscape functioned in terms of opportunity.
Resurgence with New Techniques (2025)
After XWorm reemerged in mid-2025, several campaigns made use of its upgraded arsenal. In the summer of 2025, there was a phishing campaign using lure topics about AI in addition to a repurposed remote administration tool (ScreenConnect) to distribute XWorm malware.
In September 2025, there was a malware campaign showcasing a complete fileless distribution channel, where the lure was in the form of an October tax payment notice through an Excel add-in file (.xlam) that held an OLE object that in turn camouflaged shellcode carrying the execution of a XWorm loader assembly written in ‘.NET’ to load XWorm in memory; there were no malcode or malware files written to disk. XWorm was further found to distribute through other means such as email attachments, cloud storage URL downloads, LNK shortcuts, and legitimate services such as Cloudflare Tunnels.
Technical Analysis Summary — XWorm
1. Modular RAT Architecture
- The basic remote access Trojan (RAT) client has support for over 35 modular plugins.
- It creates a unique system ID and maintains the list of installed plugins in a registry key
- Remote loading and reuse of the plugin from the registry cache.
- Capabilities include:
- Data theft
- Network scanning
- Surveillance
- File encryption
- Highly flexible functionality due to its plugin-based design
2. Multi-Stage Infection & Fileless Execution
- The distribution usually happens through multi-stage dropper chains.
- Scripting involves using PowerShell to disable AMSI and load payloads.
- It utilizes legitimate Windows process injection functionalities to support fileless malware execution.
- They encrypt or encode payloads in order to evade signature-based detection.
- It uses living off the land tactics to increase stealth and persistence.
3. Stealth & Defense Evasion
- Heavy code obfuscation
- Disables AMSI and adds Microsoft Defender exclusions
- May delete or tamper with AV services
- Employs sandbox detection and anti-debugging tricks
- Uses a custom encrypted C2 protocol
- Version 6 introduces a new default encryption key
4. Data Theft & Remote Control Features
- Plugins enable theft of:
- Passwords
- Cookies
- Browser credentials
- System information
- Operators can run commands using Shell.dll
- Inspect network activity with TCPConnections.dll
- Captures screenshots and activates webcams for spying
- Grants attackers full remote control over the victim machine
5. Built-in Ransomware Module
- The malware possesses a full-blown ransomware capability.
- FileManager.dll encrypts using AES-CBC with a key derived from the device.
- Mass encryption is started by Ransomware.dll.
- Drops ransom note: “How To Decrypt My Files.html”
- Changes desktop wallpaper.
- Encryption code partly borrowed from NoCry ransomware
6. Resilient Persistence Mechanisms
- Adds Registry Run keys and startup entries
- Creates hidden scheduled tasks
- Version 6 abuses Windows Reset Recovery, planting scripts in recovery folders
- Can reinstall itself even after a factory reset
- Extremely difficult to remove due to layered persistence
MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs)
- Initial Access (TA0001): XWorm mainly enters through phishing attachments or links. Campaigns used invoice-themed documents to lure victims. It also arrives through malicious macros and other user-execution vectors. These techniques align with T1566.001 and T1204.002.
- Execution (TA0002): XWorm executes through scripting, often using PowerShell. It runs payloads in memory to avoid detection. Some attacks abused Office add-ins to trigger execution. The process fits techniques like T1059.001 and T1566.002.
- Persistence (TA0003): XWorm persists using Registry Run Keys and scheduled tasks. Version 6 also abuses Windows Reset scripts for persistence. This behavior fits T1547.001 and T1053.005, plus other boot-time autostart categories.
- Privilege Escalation (TA0004): Some campaigns created new admin accounts, such as “system32.” This supports higher privileges and persistence. The activity aligns with Create Account (T1136.001).
- Defense Evasion (TA0005): XWorm uses heavy obfuscation to hide code. It disables antivirus and AMSI functions. The malware injects into legitimate processes to avoid detection. It checks for sandboxes and virtual machines. These behaviors align with T1027, T1562.001, and T1055.
- Credential Access (TA0006): XWorm captures credentials through keylogging and infostealer plugins. It steals browser passwords, cookies, and saved credentials. These behaviors match T1056.001 and T1555.
- Discovery (TA0007): XWorm gathers system details, network activity, and file listings. It enumerates connections and processes to map the environment. These actions match T1049, T1082, and T1083.
- Lateral Movement (TA0008): XWorm itself is single-host, but stolen credentials enable movement. Attackers may use RDP or SMB with those credentials. This fits Remote Services (T1021).
- Collection (TA0009): XWorm records keystrokes, screenshots, and webcam footage. It searches for valuable files using its file manager. These behaviors map to T1113 and T1123.
- Command and Control (TA0011): XWorm uses custom encrypted protocols over non-standard ports. Its traffic typically uses port 4411 with embedded keys. These map to T1071 and T1571.
- Exfiltration (TA0010): The RAT sends stolen data through its encrypted C2 channel. This matches Exfiltration Over C2 Channel (T1041).
- Impact (TA0040): XWorm can encrypt files on command. It drops ransom notes and demands payment. These actions map to T1486 and extortion-related behaviors.
This mapping shows that XWorm spans the spectrum of attack stages – from initial ingress to final impact – which is a testament to its all-in-one threat nature.
Case Study: Xcitium vs. XWorm Malware
In this video demonstration, Xcitium’s ZeroDwell platform delivers a decisive showcase of how next-generation isolation technology neutralizes XWorm before the threat ever has a chance to breathe.
The moment the XWorm samples are extracted, Xcitium automatically intercepts and contains every unknown process inside a secure, virtualized environment—instantly cutting off the malware’s ability to touch the real endpoint, access sensitive data, or trigger its remote-access and ransomware payloads.
Xcitium simply blocks the attack at the point of entry, turning a high-risk scenario into a zero-impact event. This case study demonstrates why organizations seeking airtight ransomware resilience and hands-off protection against emerging threats consistently turn to Xcitium’s unique ZeroDwell approach.
Indicators of Compromise (IOCs)
- Ransom Note File: When the ransomware component of XWorm malware is triggered, a definitive sign appears in the form of the file “How To Decrypt My Files.html” in directories in the affected computer. The ransom note, usually in conjunction with the modification of the desktop image, presents an indicator of having been attacked by XWorm or related ransomware malware.
- Unusual Recovery Files: The presence of an unusual file ResetConfig.xml in the Windows Recovery directory (typically found in the path, such as C:\Recovery\OEM), together with the suspicious file named install.cmd, raises suspicions. Very few legitimate applications would make any changes to the OS Reset settings. The existence of such files pointing towards unknown scripts raises the strong possibility of XWorm or any other malware interfering in the OS Reset process.
- Registry Artifacts: XWorm V6 maintains its plugin DLLs in the Windows Registry. It creates a subkey under HKCU\Software with its name based on the malware’s client ID, where it stores plugin data in binary value entries. If you notice an unusual, randomly named subkey under HKCU\Software with entries of unusual binary data, it could signify the existence of XWorm in the target computer. Also, inspect entries under HKCU or HKLM in the Run registry key pointing to unusual executables or scripts in user directories (usual in XWorm malware droppers).
- Suspicious Process Behavior: RegSvcs.exe (a tool from the .NET Framework) or MSBuild.exe might be shown in memory when the user didn’t run them, but these processes connect to an external IP or open up a network socket. Any process with legitimate activity including network connections to such things as ports 4411 or execution of scripts would mean that there was likely some kind of malware at work. Anomalies of child process activity related to Office applications or scripting hosts (winword.exe spawning powershell.exe or wscript.exe spawning an unusual DLL) can point out where the XWorm malware deployment chain was initiated.
- Network Indicators: Networking data can offer additional hints. XWorm communication with the C2 servers can occur using uncommon ports (e.g., “TCP 4411” was found in one example). In cases where your network has egress filtering or logging in place, reviewing these logs for outs into unusual ports not associated with regular network activity can help detect XWorm. Further, XWorm uses the hard-coded encryption keys “<123456789>” in legacy versions or “<666666>” in v6 in its communication with the C2 servers.
No single indicator is foolproof with a threat as adaptable as XWorm. Organizations should use a combination of these IOCs and behavioral analytics (like monitoring for script abuse and injection events) to identify an infection early.
XWorm Samples (SHA-1)
Conclusion
The rise of XWorm V6—from an abandoned chaotic codebase to a fully reengineered, weaponized malware family—proves one thing:
modern threats don’t disappear; they evolve.
Faster. Smarter. More evasive.
Today, XWorm operates as a complete attack ecosystem, combining:
- Multi-stage infection chains
- Fileless execution
- Credential theft
- Surveillance modules
- Ransomware payloads
- Aggressive, multi-layer persistence
Every piece is engineered to slip past traditional detection and strike before responders ever see an alert.
Why Every Organization Is Vulnerable
XWorm no longer relies on a single exploit or signature. It blends:
- Human-driven social engineering
- PowerShell abuse
- LOLBins
- Stealthy process injection
- Obfuscation and anti-analysis
- Multi-layer evasion across the kill chain
If your strategy is:
“Detect it when it runs.”
You’ve already lost.
Legacy AV and detection-based EDR are blind to malware that hides inside legitimate processes, disables protections, and executes its payloads before anyone notices.
Where Xcitium Changes the Story
With Xcitium’s patented Zero-Dwell architecture, XWorm never gets the opportunity to act. The moment an unknown process runs—whether fileless, injected, encrypted, or plugin-driven—it is instantly:
- Isolated
- Virtualized
- Contained (without blocking execution)
- Denied access to files, registry, kernel, and network
Meaning:
- No keylogging
- No beaconing
- No module loading
- No persistence
- No ransomware execution
What would become a full compromise is reduced to harmless noise.
With Xcitium, XWorm’s “advanced” capabilities collapse on impact.
This is why organizations that demand proactive, real-time protection choose Xcitium Advanced EDR—stopping threats at execution, not after the damage is done.
