XWorm
XWorm is a commodity Windows remote access trojan (RAT) widely referred to as XWorm or XWorm RAT. The provided content describes it as a full-featured RAT used by financially motivated actors and delivered across numerous malware distribution ecosystems and campaigns. Reported capabilities include startup registration, autorun modification, scheduled task creation, persistence, system information collection, host reconnaissance, user activity monitoring, encrypted socket-based command-and-control communications, remote code or payload execution, download-and-execute, reflective .NET loading, shell execution, browser opening, hidden HTTP requests, screenshots, plugin management, system shutdown or restart, DDoS activity, and in some cases anti-AMSI and anti-ETW functionality in associated loaders or shellcode stages.
Observed delivery vectors in the content include phishing and tax-themed lures, malvertising, ClickFix fake CAPTCHA flows, trojanized GitHub repositories and builders, malicious npm packages, fake game sites promoted through hijacked Discord accounts, WebDAV/search-ms chains abusing TryCloudflare Tunnel infrastructure, Python-based loaders, APC injection, staged .NET loaders, steganographic payload concealment, and packed delivery via HeartCrypt. Specific examples include ChatGPT-themed ClickFix malvertising, Indian Income Tax Department impersonation via harivo[.]vip, Canada-targeted mshta delivery that bundled Lumma with XWorm, and the Astral Warfare campaign delivering XWorm from astralwarfare[.]fr and a malicious npm package.
The malware appears in multiple criminal ecosystems as either a primary payload or secondary payload, including Amadey, PhantomVAI Loader, HeartCrypt-packed campaigns, TryCloudflare-based delivery clusters, and GitHub/distribution-as-a-service style operations. The content also links XWorm distribution to actors or clusters such as TA558, NullBulge, and multiple unattributed financially motivated campaigns; attribution to a single actor is not supported because XWorm is broadly used commodity malware.
Targeting in the content spans organizations and users globally, with explicit references to campaigns affecting India, Canada, Latin America, Switzerland, Ukraine, and broad global enterprise targets. Sectors and themes mentioned include finance, law, manufacturing, technology, hospitality, government, education, utilities, healthcare, and tax-related workflows.
High-confidence indicators and configuration details directly mentioned in the content include: C2 103[.]231[.]12[.]27:4444 in the India tax-themed campaign; XWorm-related indicators 66[.]63[.]168[.]133:7000 and weidmachane[.]zapto[.]org:7000 from an analyzed obfuscated cluster; and Astral Warfare XWorm configuration values including C2 host 185.94.29.43, port 7004, separator <Xwormmm>, group "XWorm V7.4," mutex ksUtjUa9iXc5wwbk, and USB name USB.exe. Additional associated infrastructure and artifacts mentioned include harivo[.]vip, astralwarfare[.]fr, promptcraft[.]online, and delivery from 185.147.125[.]174 in a Lumma-plus-XWorm chain. The content also notes a January 2025 report of a trojanized XWorm RAT builder distributed via GitHub that infected would-be users with an infostealer.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
2025-12 FortiGuard [[URL_5ad24528_9]] Multi-themed phishing, Equation Editor CVE-2018-0802 abuse | → XWorm RAT (XClient variant) process-hollowed into Caspol.exe → C2: alzap.ddns.com.br on a Brazilian Telefonica residential IP
1014578922 INV_PL SWB Specimen.xlam Invoice CVE-2017-11882 2026-03-24 | A Turkish-origin threat actor operating under the GitHub alias flexhere687-art ... is conducting an active XWorm V6.0 campaign using a multi-layered delivery chain.
Tearing apart a .NET crypter to extract dual XWorm RAT payloads, then decompiling the RAT to find a UEFI bootkit with BlackLotus DBX bypass, an r77 rootkit, driver infection, CVE-2026-20817 zero-day UAC bypass, and D/Invoke API evasion.
Google also observed financially motivated actors exploiting the WinRAR path-traversal flaw to distribute commodity remote access tools and information stealers such as XWorm and AsyncRAT...
Groups observed using it
12 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
While the actor favors VenomRAT, TA558 also distributes other commodity malware including njRAT, Remcos RAT, and recently XWorm and PDQ Connect.
The group’s other campaigns resulted in the distribution of more malware, including Async RAT and Xworm.
Like similar Storm-0900 activity, this campaign led to XWorm, a popular modular malware used by many threat actors for remote access, deployment of other malware, and data theft. XWorm uses plugins that threat actors can use to perform various tasks on compromised devices. These plugins have evolved over the years. While we have not observed it being used in attacks, the latest XWorm version includes a plugin for encrypting files, giving the malware ransomware capability.
The terminal payload is typically XWorm or AsyncRAT, both commodity RATs sold through underground forums as Malware-as-a-Service.
Techniques & procedures
35 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
MITRE ATT&CK FRAMEWORK ... Initial Access T1189 Drive-by Compromise ZIP archive with malware delivered via fake portal
Execution
7 techniques
Execution
The DLL carries full RAT capabilities, including startup registration, scheduled task creation, system information collection, user activity monitoring, and encrypted communication back to the attacker.
MITRE ATT&CK FRAMEWORK ... Persistence T1053.005 Scheduled Task Scheduled-task persistence functionality
MITRE ATT&CK FRAMEWORK ... Execution T1059 Command and Scripting Interpreter Reflection-based .NET dynamic execution
The Lua files contain base64-encoded PowerShell that, when decoded, downloads and executes the Async RAT sample (via Invoke-WebRequest).
Confense documented a Python-based loader deploying XWorm RAT using APC injection from obfuscated Python code. The attack chain used Python’s ctypes library to call native Windows APIs directly
Bumblebee’s injection module ( dij command for DLL Injection) dynamically resolves NtQueueApcThread at runtime and uses it to inject a payload DLL... While the static import of NtQueueApcThread is flagged by multiple scanners, a runtime GetProcAddress lookup on ntdll.dll is invisible to import-table analysis.
Persistence
5 techniques
Persistence
The DLL carries full RAT capabilities, including startup registration, scheduled task creation, system information collection, user activity monitoring, and encrypted communication back to the attacker.
MITRE ATT&CK FRAMEWORK ... Persistence T1053.005 Scheduled Task Scheduled-task persistence functionality
After deobfuscation, Tax_Assessment.exe was observed hiding its console window and modifying user registry settings.
Privilege Escalation
6 techniques
Privilege Escalation
The DLL carries full RAT capabilities, including startup registration, scheduled task creation, system information collection, user activity monitoring, and encrypted communication back to the attacker.
MITRE ATT&CK FRAMEWORK ... Persistence T1053.005 Scheduled Task Scheduled-task persistence functionality
Process injection sits at the top of the MITRE ATT&CK heap for the second year running. Picus Labs’ Red Report 2025 found T1055 in roughly 31% of the million-plus malware samples they examined.
Hence APC injection was formed as a technique, they’d find a process with a thread in an alertable wait and get a handle to it, call VirtualAllocEx and WriteProcessMemory to plant shellcode and then call QueueUserAPC pointed at the shellcode, the thread would eventually wake up and execute the shellcode.
Stealth
12 techniques
Stealth
Confense documented a Python-based loader deploying XWorm RAT using APC injection from obfuscated Python code.
HeartCrypt was originally discovered through underground forums... it has been used to pack over 2,000 malicious payloads... The packed payload was consistently added as a resource to a legitimate binary... Each resource embedded in the binary contains PIC disguised as a bitmap (BMP) image file. This begins with a standard BMP header followed by a repeating hexadecimal pattern for padding.
MITRE ATT&CK FRAMEWORK ... Stealth T1036 Masquerading Deceptive filenames/metadata impersonating tax docs
The binary uses misleading identification details, such as “Runtime Service Host” and “Microsoft Corporation,” to blend with trusted Windows components, potentially reducing suspicion and increasing the chance of bypassing security detections.
Process injection sits at the top of the MITRE ATT&CK heap for the second year running. Picus Labs’ Red Report 2025 found T1055 in roughly 31% of the million-plus malware samples they examined.
Hence APC injection was formed as a technique, they’d find a process with a thread in an alertable wait and get a handle to it, call VirtualAllocEx and WriteProcessMemory to plant shellcode and then call QueueUserAPC pointed at the shellcode, the thread would eventually wake up and execute the shellcode.
the “malware” is Python bytecode that decrypts its payload at runtime, making static analysis and YARA signatures far less effective.
MITRE ATT&CK FRAMEWORK ... Execution T1218 System Binary Proxy Execution Mounted disk image (Tax_Assessment.img) stages execution
The trick relies on a Base64-encoded PowerShell or mshta command being injected silently into the user's clipboard... This script then fetched the ClickFix lure and executed mshta via check.foquh[.]icu.
MITRE ATT&CK FRAMEWORK ... Discovery T1497.001 Virtualization/Sandbox Evasion Anti-analysis checks before execution
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Discovery
4 techniques
Discovery
MITRE ATT&CK FRAMEWORK ... Discovery T1033 System Owner/User Discovery User info collection during reconnaissance
Functions such as ... GetWindowsVersion ... support host reconnaissance.
Collection
2 techniques
Collection
Command and Control
5 techniques
Command and Control
The malware communicates with a hardcoded command-and-control server at 103.231.12.27 over port 4444.
MITRE ATT&CK FRAMEWORK ... Command & Control T1071.001 Application Layer Protocol: Web Protocols C2 via application-layer web communications
MITRE ATT&CK FRAMEWORK ... Command & Control T1105 Ingress Tool Transfer Dynamic payload loading/execution
IOCs tracked for this family
318 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
195 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware payload co-delivered alongside Lumma in a Canada-targeted ClickFix campaign.
A remote access trojan used to provide persistent remote control, surveillance, data theft, system reconnaissance, scheduled task creation, startup persistence, and encrypted command-and-control communications.
XWorm is mentioned as a payload distributed by a large botnet cluster within the Amadey ecosystem.
Remote access malware observed as one of several interchangeable payloads delivered by the same infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.