After XCoder, the original developer of XWorm, abandoned the project last year, the infamous malware has resurfaced with force. New versions of this backdoor are being distributed through phishing campaigns, using fake emails and malicious attachments to infect victims.
The latest variants (XWorm 6.0, 6.4, and 6.5) have been adopted by various cybercriminal groups and come loaded with plugins that greatly expand their capabilities. Thanks to these modules, attackers can steal data from browsers and applications, gain remote control of the system via desktop or shell access, and even encrypt or decrypt files, integrating features typically seen in ransomware.
It’s worth noting that the last version created directly by XCoder was 5.6, which contained a remote code execution vulnerability. That flaw has been fixed in the current versions, showing that the new operators have refined and strengthened the malware, making it even more dangerous.
XWorm: A Versatile Malware That Became Too Popular
First detected in 2022, XWorm quickly gained a reputation in the cybercrime world. This remote access trojan (RAT) stood out for its modular architecture and its ability to adapt to various targets, becoming one of attackers’ favorite tools.
Its versatility is what makes it so dangerous. Cybercriminals often use it to steal sensitive information such as passwords, cryptocurrency wallets, and financial data, in addition to logging keystrokes or copying clipboard contents. But that’s not all—XWorm can also launch DDoS (Distributed Denial of Service) attacks and download other types of malware onto compromised systems, serving as a gateway for even more severe infections.
When XCoder, XWorm’s original creator, shut down his Telegram accounts and stopped releasing updates, the criminal community was quick to act. Several groups began distributing cracked versions of the malware, keeping its legacy alive and expanding its reach.
In fact, XWorm became so popular that other hackers even used it as bait to trick less experienced cybercriminals. In one particularly curious campaign, a backdoor disguised as XWorm managed to infect over 18,000 devices, primarily in Russia, the United States, India, Ukraine, and Turkey.
XWorm Expands with New Distribution Methods
The new version of XWorm started drawing attention when it was advertised on a hacker forum by a user named XCoderTools. The alleged developer was offering lifetime access for $500—a strategy that quickly attracted the interest of many criminal actors online.
Although it's still unclear whether this is the original creator of XWorm, the account claimed that the latest variant had patched an RCE (Remote Code Execution) vulnerability present in earlier versions and included multiple improvements and new features.
Since June 2024, researchers at Trellix have observed a significant increase in XWorm samples detected on VirusTotal, a clear sign that more and more cybercriminals are adopting this tool in their campaigns.
In one of the most recent phishing campaigns, the malware was delivered via a malicious JavaScript file that executed a PowerShell script. This technique allowed it to bypass Windows’ built-in anti-malware protections and deploy XWorm without raising suspicion—demonstrating just how sophisticated its distribution tactics have become.
XWorm Infection Chain Source (Source: Trellix)
According to a report published in September, security researchers warned that XWorm’s infection chain has evolved significantly. The malware now employs more sophisticated techniques that go far beyond classic email attacks.
While traditional phishing and .LNK files remain among the most common entry points, the attackers behind XWorm have started using .exe files with seemingly legitimate names, disguising them as popular applications like Discord to trick victims and avoid suspicion.
This evolution represents “a shift toward combining social engineering with technical attack vectors to achieve greater effectiveness.” In other words, cybercriminals are no longer relying solely on deceiving users—they’re also refining technical methods to maximize their chances of success.
Additionally, other research teams have identified campaigns distributing XWorm using lures related to artificial intelligence (AI), taking advantage of the topic’s popularity to attract more victims. Attacks have also been detected using a modified version of the remote access tool ScreenConnect, adapted to deploy the malware without detection.
To make matters worse, an additional report details a sophisticated phishing campaign in which attackers managed to hide shellcode inside a Microsoft Excel (.XLAM) file—a format typically used for legitimate add-ins. This technique allows XWorm to execute silently upon opening the document, without the victim suspecting what’s happening in the background.
Read more: SnakeStealer: The Infostealer Dominating Password Theft in 2025
A Ransomware Threat Among Dozens of Modules
The new version of XWorm has reached an alarming level of complexity. It currently features more than 35 modules or plugins, each designed to extend its capabilities and make it more dangerous. Thanks to this modular structure, the malware can perform tasks ranging from stealing sensitive information to more destructive actions, such as encrypting files and demanding ransom.
One of the most concerning plugins is Ransomware.dll, responsible for executing the encryption function. This module allows attackers to lock system files, change the victim’s desktop background, and display a ransom message with instructions—including the amount to pay, the wallet address, and a contact email for negotiating data release.
With these new capabilities, XWorm is no longer just a tool for spying or data theft—it has evolved into a full-fledged cyberattack platform, capable of adapting to different targets and maximizing damage in every infection.
XWorm’s encryption process is designed to cause maximum damage without completely disabling the system. Instead of targeting essential Windows files, the malware avoids system folders and focuses on the user’s personal data—especially in the %USERPROFILE% and Documents locations.
Once the files are encrypted, the originals are deleted, and the malware appends the .ENC extension to each one, signaling that the data has been locked.
After the attack, the victim finds an HTML file on their desktop containing the ransom instructions. This document outlines the steps to recover the files, along with the attacker’s Bitcoin (BTC) wallet address, a contact email, and the amount demanded for decryption.
In short, XWorm carries out a classic ransomware attack, but with surgical precision: it targets personal files directly and makes it abundantly clear that this is not just a simple infection, but a carefully planned extortion.
Read more: Why Integrating Backup and Security is Key for Your IT Team
XWorm Shares Code with Another Ransomware
A recent security analysis revealed that XWorm’s ransomware module shares code similarities with NoCry, a .NET-based ransomware that first appeared in 2021.
Both use the same encryption algorithm—AES in CBC mode with 4096-byte blocks—and implement an identical method for generating the initialization vector (IV) and the encryption and decryption keys. They also perform the same anti-analysis checks, designed to detect if the malware is running in test or sandbox environments.
But the ransomware module is only part of the puzzle. Researchers also examined 14 other XWorm plugins, each with a specific function that expands its attack capabilities:
-
RemoteDesktop.dll: creates a remote session, allowing the attacker to control the infected machine.
-
WindowsUpdate.dll, Stealer.dll, Recovery.dll, merged.dll, Chromium.dll, SystemCheck.Merged.dll: focus on stealing personal data and user credentials.
-
FileManager.dll: provides full access to the file system, enabling the attacker to copy, move, or delete files.
-
Shell.dll: executes system commands sent by the attacker via a hidden cmd.exe process.
-
Informations.dll: gathers detailed information about the compromised system’s hardware and software.
-
Webcam.dll: activates the device’s camera to record the victim or confirm that it’s a real machine.
-
TCPConnections.dll, ActiveWindows.dll, StartupManager.dll: send lists of active connections, open windows, and startup programs to the command-and-control (C2) server.
With just the information-stealing modules alone, an XWorm operator can extract credentials from over 35 applications, including web browsers, email clients, messaging apps, FTP clients, and even cryptocurrency wallets.
How Can Businesses Protect Themselves from XWorm and Its Modules?
Against threats as advanced and ever-evolving as XWorm, a single line of defense is not enough. At TecnetOne, we recommend adopting a layered security strategy that can prevent, detect, and respond quickly to any incident.
-
EDR Solutions (Endpoint Detection and Response): help detect abnormal behavior related to XWorm modules and contain the threat before it spreads.
-
Proactive email and web browsing protection: blocks malicious files and phishing links, drastically reducing the risk of initial infection.
-
Real-time network monitoring: detects and blocks suspicious communications with command-and-control (C2) servers, preventing the malware from downloading new modules or exfiltrating data.
And if prevention falls short, a rapid and coordinated incident response can make the difference between a minor breach and a major crisis.
In these situations, specialized services like TecnetOne’s Incident Response provide comprehensive support during cyberattacks, helping companies contain the threat, eliminate the malware, and securely restore systems.
TecnetOne’s expert team also offers forensic analysis, impact assessment, and remediation measures, ensuring exploited vulnerabilities are addressed and the organization returns to full operation as quickly as possible.
Adopting a preventive approach, combined with an expert-backed incident response plan, is key to tackling threats like XWorm and safeguarding your company’s most critical digital assets.
