XWorm Backdoor Uses Triple DDNS C2 and AES-Encrypted Traffic for Stealth Control


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-11-27 12:48:14 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
9bl3kdj.exe
Type
Generic CIL Executable (.NET, Mono, etc.)
SHA‑1
3b1a18ec652405cc759c46e3833da81a46987675
MD5
577bf9f1cbcc96b27460b1fb9009e745
First Seen
2025-11-25 08:01:24.379325
Last Analysis
2025-11-25 09:01:54.754190
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 1+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-10-13 10:04:53 UTC First VirusTotal submission
2025-11-27 07:00:59 UTC Latest analysis snapshot 44 days, 20 hours, 56 minutes
2025-11-27 12:48:14 UTC Report generation time 45 days, 2 hours, 43 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 61. Missed: 12. Coverage: 83.6%.

Detected Vendors

  • Xcitium
  • +60 additional vendors (names not provided)

List includes Xcitium plus an additional 60 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • Baidu
  • CMC
  • Cynet
  • google_safebrowsing
  • Gridinsoft
  • Jiangmin
  • SUPERAntiSpyware
  • tehtris
  • Yandex
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (60.98% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 7994 60.98%
Registry 4015 30.63%
File System 675 5.15%
Process 209 1.59%
Misc 85 0.65%
Crypto 30 0.23%
Threading 26 0.20%
Device 25 0.19%
Synchronization 22 0.17%
Windows 11 0.08%
Com 9 0.07%
Network 8 0.06%
Hooking 1 0.01%

MITRE ATT&CK Mapping

  • T1140 – decode data using Base64 in .NET
  • T1083 – check if directory exists
  • T1012 – query or enumerate registry value
  • T1027 – encode data using Base64
  • T1057 – find process by PID
  • T1222 – set file attributes
  • T1105 – download and write a file
  • T1082 – get OS version in .NET
  • T1012 – query or enumerate registry key
  • T1112 – delete registry key
  • T1213 – reference WMI statements
  • T1056.001 – log keystrokes
  • T1033 – get session user name
  • T1087 – get session user name
  • T1082 – get disk size
  • T1082 – query environment variable
  • T1560.002 – compress data using GZip in .NET
  • T1547.009 – persist via lnk shortcut
  • T1082 – get number of processors
  • T1033 – get session integrity level
  • T1083 – check if file exists
  • T1620 – load .NET assembly
  • T1083 – enumerate files in .NET
  • T1113 – capture screenshot
  • T1056.001 – log keystrokes via polling
  • T1614.001 – get keyboard layout
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1115 – read clipboard data
  • T1070.004 – self delete
  • T1082 – get disk information
  • T1115 – monitor clipboard content
  • T1047 – access WMI data in .NET
  • T1083 – get common file path
  • T1082 – get hostname
  • T1620 – invoke .NET assembly method

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.
rency.ydns.eu 91.92.241.145 Bulgaria LANEDONET

Observed IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
rency.ydns.eu A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 4 udp
53 50 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.14 192.168.56.255 137 137 8.055565118789673 udp
192.168.56.14 224.0.0.252 51209 5355 7.987295150756836 udp
192.168.56.14 224.0.0.252 53401 5355 10.293418169021606 udp
192.168.56.14 224.0.0.252 55094 5355 10.540565967559814 udp
192.168.56.14 224.0.0.252 55848 5355 7.987493991851807 udp
192.168.56.14 8.8.4.4 49916 53 85.88208413124084 udp
192.168.56.14 8.8.4.4 50180 53 132.8509030342102 udp
192.168.56.14 8.8.4.4 50710 53 57.16322207450867 udp
192.168.56.14 8.8.4.4 50870 53 306.3665220737457 udp
192.168.56.14 8.8.4.4 50914 53 226.78840899467468 udp
192.168.56.14 8.8.4.4 51262 53 292.0072581768036 udp
192.168.56.14 8.8.4.4 52556 53 363.6947331428528 udp
192.168.56.14 8.8.4.4 52815 53 12.867801189422607 udp
192.168.56.14 8.8.4.4 53449 53 334.9759600162506 udp
192.168.56.14 8.8.4.4 54579 53 42.58510899543762 udp
192.168.56.14 8.8.4.4 54683 53 179.8200249671936 udp
192.168.56.14 8.8.4.4 55827 53 245.03868913650513 udp
192.168.56.14 8.8.4.4 55914 53 118.49158501625061 udp
192.168.56.14 8.8.4.4 56399 53 165.46045017242432 udp
192.168.56.14 8.8.4.4 57742 53 349.3353281021118 udp
192.168.56.14 8.8.4.4 59068 53 320.72595405578613 udp
192.168.56.14 8.8.4.4 60117 53 71.52323007583618 udp
192.168.56.14 8.8.4.4 60713 53 259.3976969718933 udp
192.168.56.14 8.8.4.4 62022 53 151.10109615325928 udp
192.168.56.14 8.8.4.4 62112 53 28.225856065750122 udp
192.168.56.14 8.8.4.4 62548 53 212.4288990497589 udp
192.168.56.14 8.8.4.4 62800 53 273.75734400749207 udp
192.168.56.14 8.8.4.4 63205 53 198.06985211372375 udp
192.168.56.14 8.8.4.4 64753 53 104.13227605819702 udp
192.168.56.14 8.8.4.4 65148 53 21.74090003967285 udp
192.168.56.14 8.8.8.8 49916 53 84.88269400596619 udp
192.168.56.14 8.8.8.8 50180 53 131.8518521785736 udp
192.168.56.14 8.8.8.8 50710 53 56.16407918930054 udp
192.168.56.14 8.8.8.8 50870 53 305.36784315109253 udp
192.168.56.14 8.8.8.8 50914 53 225.78913402557373 udp
192.168.56.14 8.8.8.8 51262 53 291.0087339878082 udp
192.168.56.14 8.8.8.8 52556 53 362.6960291862488 udp
192.168.56.14 8.8.8.8 52815 53 13.86761999130249 udp
192.168.56.14 8.8.8.8 53449 53 333.9798381328583 udp
192.168.56.14 8.8.8.8 54579 53 41.58591413497925 udp
192.168.56.14 8.8.8.8 54683 53 178.81975197792053 udp
192.168.56.14 8.8.8.8 55827 53 244.03888297080994 udp
192.168.56.14 8.8.8.8 55914 53 117.49178814888 udp
192.168.56.14 8.8.8.8 56399 53 164.46079802513123 udp
192.168.56.14 8.8.8.8 57742 53 348.33700299263 udp
192.168.56.14 8.8.8.8 59068 53 319.7274479866028 udp
192.168.56.14 8.8.8.8 60117 53 70.52298998832703 udp
192.168.56.14 8.8.8.8 60713 53 258.3999900817871 udp
192.168.56.14 8.8.8.8 62022 53 150.1011290550232 udp
192.168.56.14 8.8.8.8 62112 53 27.226664066314697 udp
192.168.56.14 8.8.8.8 62548 53 211.42964100837708 udp
192.168.56.14 8.8.8.8 62800 53 272.75780296325684 udp
192.168.56.14 8.8.8.8 63205 53 197.07109713554382 udp
192.168.56.14 8.8.8.8 64753 53 103.13482403755188 udp
192.168.56.14 8.8.8.8 65148 53 22.72631311416626 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

98

Registry Set

1

Services Started

0

Services Opened

1

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32\0x0
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32\Class
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_CURRENT_USER\1.0\0\win64
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_CURRENT_USER\1.0\409
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseRyuJIT
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
Show all (98 total)
Key
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogResourceBinds
HKEY_CURRENT_USER\1.0\0
HKEY_CURRENT_USER\1.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\CacheLocation
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Standards
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\DefaultSecurity\SrvsvcDefaultShareInfo
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\DefaultSecurity
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_CURRENT_USER\1.0\9
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4270068108-2931534202-3907561125-1001
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32\0x0
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\index9
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\InstallRoot

Registry Set (Top 25)

Key Value
HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile Binary Data

Services Started (Top 15)

Services Opened (Top 15)

Service
dnsCache

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top