Security researchers at Trellix said that new versions of the XWorm backdoor, identified as 6.0, 6.4 and 6.5, are being distributed in phishing campaigns and appear to have been adopted by multiple threat actors. The variants add support for a plugin architecture that enables a wide range of malicious activity, the researchers said.
XWorm, first observed in 2022, is a modular remote access trojan used to harvest credentials, crypto wallets and other sensitive data and to load additional malware. The article noted the last known version developed by XCoder was 5.6, which was vulnerable to a remote code execution flaw that the newer variants address.
Trellix researchers reported an increase in XWorm samples on VirusTotal and described multiple delivery techniques, including malicious JavaScript that launches a PowerShell script able to bypass Antimalware Scan Interface protection. The firm said the infection chain has grown beyond traditional email-based attacks and now combines social engineering with technical evasion, Trellix said. Other researchers have observed campaigns that used AI-themed lures and a modified ScreenConnect tool to delivered XWorm, and separate reporting provided technical details of a campaign that delivered the malware via shellcode embedded in an Excel .XLAM file.
Trellix said XWorm now supports more than 35 plugins that extend capabilities from credential theft to ransomware. A Ransomware.dll module lets operators set a desktop wallpaper after encryption, configure the ransom amount, wallet address and contact email, and targets user data in %USERPROFILE% and Documents while avoiding system folders. The module deletes originals, appends a .ENC extension to encrypted files and drops an HTML file on the desktop with payment instructions, the researchers said.
The researchers also reported code overlaps between XWorm’s ransomware module and the .NET-based NoCry family, saying both use the same algorithm to generate an initialization vector and encryption key and perform similar environment checks. The article linked a public post about the NoCry ransomware as a reference to earlier sightings.
To mitigate the threat, Trellix recommended a multi-layered approach that includes endpoint detection and response to detect malicious module behavior, proactive email and web protections to block initial droppers, and network monitoring to spot command-and-control activity and data exfiltration.