A hallmark of XWorm V3.1 is its reliance on to expand its functionality without bloating the main payload. Common plugins found in V3.1 packages include:
XWorm frequently appears in campaigns targeting high-value sectors such as the software supply chain and the gaming industry, often as a precursor to ransomware attacks involving LockBit Black builder tools.
The "Updated" tag attached to v31 is critical. According to reverse engineering samples captured in the wild (SHA256 hashes beginning with A4F3... and B8C1... ), developers have focused heavily on for the attacker and Evasion for the malware. xworm v31 updated
Disables , stops the WinDefend service, and turns off Windows Firewall .
Multiple variants have been observed in the wild, including versions 2.1, 3.1, 4.0, 5.0, and more recently versions 6.0, 6.4, and 6.5 which incorporate ransomware capabilities and an extensive plugin ecosystem.This article focuses specifically on version 3.1 and its associated evolution across the broader XWorm ecosystem. A hallmark of XWorm V3
: Newer versions include advanced obfuscation and sandbox detection techniques to avoid analysis in virtual environments.
The original version featured:
The release of marked a crucial inflection point. It shifted the malware from a standard remote control utility into a highly effective tool for financial theft and detection avoidance. While threat actors have continued updating the code up to recent releases like XWorm v7.2 and v7.4 , the core logic, execution APIs, and persistence mechanisms established in the v3.1 update remain foundational to understanding how this family functions.
Version 3.1 is known for its "effective simplicity" and broad feature set: According to reverse engineering samples captured in the
XWorm is a fully-featured remote access Trojan (RAT) first identified in 2022 that has rapidly evolved into one of the most formidable commodity malware threats in the current cyber threat landscape. Unlike traditional RATs that offer limited functionality, XWorm provides attackers with an extensive suite of capabilities including keylogging, remote desktop access, command execution, and data exfiltration, effectively granting full control over compromised systems. The malware operates as a modular RAT with MaaS (Malware-as-a-Service) characteristics, sold and shared within the cybercrime ecosystem.
Data exfiltration is a primary objective. XWorm v31 targets saved passwords stored in Google Chrome, Microsoft Edge, and Firefox browsers, enabling attackers to harvest credentials en masse. Its credential theft capabilities extend to email clients, messaging applications, and various third-party software installed on infected systems.