[Phishing / Exploit (Follina)] ➔ [Obfuscated .NET Loader] ➔ [Process Hollowing (RegSvcs.exe)] ➔ [XWorm 3.1 Core RAT Engine] 📂 The XWorm 3.1 Infection Lifecycle
: Capable of harvesting sensitive data, including credit card information, Chromium cookies, Discord authentication tokens, FileZilla credentials, browser history, WiFi passwords, MetaMask cryptocurrency wallet data, and Telegram session data. This plugin makes XWorm a formidable infostealer, capable of compromising a victim's entire digital identity.
The malware actively attempts to disable Windows security features. It can patch the AmsiScanBuffer() function in memory to bypass the Antimalware Scan Interface (AMSI) and deactivate Windows Event Tracing (ETW) by targeting EtwEventWrite() , effectively hiding its activity from security logs. It also modifies Microsoft Defender settings, adding its own file paths and processes to exclusion lists to prevent scanning.
As Malwarebytes notes, while the RAT itself may be removable, operators often install additional malware and make system configuration changes that warrant a complete reinstallation.
Deceptive emails with infected attachments (.exe, .scr, .zip, .rar) or links to malicious GitHub repositories.
The malware connects to C2 servers over direct TCP connections, often using dynamic DNS domains to maintain flexibility and evade takedown efforts. For example, one XWorm 3.1 sample was observed communicating with david1234.duckdns.org on port 7000. Additional IOCs include domains like kribyrisk.com and IP addresses on non-standard ports.
A convolutional‑recurrent neural network (CRNN) processes time‑series flow features (packet size, inter‑arrival time, entropy). The model was trained using from the CIC‑IDS2017 dataset and subsequently fine‑tuned on proprietary telemetry from participating organizations. The output is a worm‑propensity score (0‑100) that can be thresholded or fed into downstream SIEM correlation rules.
: The secret key required for secure C2 network communication.
: It creates a Mutex to prevent multiple instances of the malware from running simultaneously on the same system. Malicious PDF delivering Xworm 3.1 payload - SonicWall
If you are looking to protect your organization or improve your cybersecurity posture, it is highly recommended to: Conduct regular .
Ensure all operating systems, web browsers, and third-party applications are promptly updated to patch known vulnerabilities.
This paper provides a comprehensive analysis of , a sophisticated iteration of the XWorm Remote Access Trojan (RAT). While earlier versions of XWorm were primarily distributed as cracked software or game cheats, version 3.1 represents a significant evolution in obfuscation techniques and modularity. This variant utilizes advanced Anti-Analysis techniques, including payload stub packing and process hollowing, to evade traditional antivirus solutions. The analysis covers the malware’s infection chain, Command & Control (C2) communication protocols, and its capabilities, which range from information stealing to the deployment of secondary payloads like ransomware.
and schedules a task (often named "Nafifas") to run every minute. It checks for antivirus products in the root\SecurityCenter2
Security researchers have noted that version 3.1 specifically targets endpoint detection and response (EDR) systems. It includes a "sleep obfuscation" feature: between commands, the malware sleeps for random intervals (between 45 and 60 seconds), making it invisible to sandboxes that only monitor for 30 seconds.
It frequently uses XOR or AES encryption for its configuration files and communication, making signature-based detection difficult.
XWorm 3.1 is a sophisticated used by cybercriminals to gain unauthorized control over victim machines. It is often delivered via phishing campaigns using malicious PDFs or scripts that abuse legitimate Windows tools. The core features of XWorm 3.1 include: System Control & Monitoring
: A widespread campaign using the subject line "Facturas pendientes de pago" ("Outstanding Invoices") distributed XWorm through .xlam Office files. The attachments contained hidden shellcode that downloaded and executed the malware through reflective DLL injection.
[Phishing / Exploit (Follina)] ➔ [Obfuscated .NET Loader] ➔ [Process Hollowing (RegSvcs.exe)] ➔ [XWorm 3.1 Core RAT Engine] 📂 The XWorm 3.1 Infection Lifecycle
: Capable of harvesting sensitive data, including credit card information, Chromium cookies, Discord authentication tokens, FileZilla credentials, browser history, WiFi passwords, MetaMask cryptocurrency wallet data, and Telegram session data. This plugin makes XWorm a formidable infostealer, capable of compromising a victim's entire digital identity.
The malware actively attempts to disable Windows security features. It can patch the AmsiScanBuffer() function in memory to bypass the Antimalware Scan Interface (AMSI) and deactivate Windows Event Tracing (ETW) by targeting EtwEventWrite() , effectively hiding its activity from security logs. It also modifies Microsoft Defender settings, adding its own file paths and processes to exclusion lists to prevent scanning.
As Malwarebytes notes, while the RAT itself may be removable, operators often install additional malware and make system configuration changes that warrant a complete reinstallation.
Deceptive emails with infected attachments (.exe, .scr, .zip, .rar) or links to malicious GitHub repositories. xworm 3.1
The malware connects to C2 servers over direct TCP connections, often using dynamic DNS domains to maintain flexibility and evade takedown efforts. For example, one XWorm 3.1 sample was observed communicating with david1234.duckdns.org on port 7000. Additional IOCs include domains like kribyrisk.com and IP addresses on non-standard ports.
A convolutional‑recurrent neural network (CRNN) processes time‑series flow features (packet size, inter‑arrival time, entropy). The model was trained using from the CIC‑IDS2017 dataset and subsequently fine‑tuned on proprietary telemetry from participating organizations. The output is a worm‑propensity score (0‑100) that can be thresholded or fed into downstream SIEM correlation rules.
: The secret key required for secure C2 network communication.
: It creates a Mutex to prevent multiple instances of the malware from running simultaneously on the same system. Malicious PDF delivering Xworm 3.1 payload - SonicWall [Phishing / Exploit (Follina)] ➔ [Obfuscated
If you are looking to protect your organization or improve your cybersecurity posture, it is highly recommended to: Conduct regular .
Ensure all operating systems, web browsers, and third-party applications are promptly updated to patch known vulnerabilities.
This paper provides a comprehensive analysis of , a sophisticated iteration of the XWorm Remote Access Trojan (RAT). While earlier versions of XWorm were primarily distributed as cracked software or game cheats, version 3.1 represents a significant evolution in obfuscation techniques and modularity. This variant utilizes advanced Anti-Analysis techniques, including payload stub packing and process hollowing, to evade traditional antivirus solutions. The analysis covers the malware’s infection chain, Command & Control (C2) communication protocols, and its capabilities, which range from information stealing to the deployment of secondary payloads like ransomware.
and schedules a task (often named "Nafifas") to run every minute. It checks for antivirus products in the root\SecurityCenter2 It can patch the AmsiScanBuffer() function in memory
Security researchers have noted that version 3.1 specifically targets endpoint detection and response (EDR) systems. It includes a "sleep obfuscation" feature: between commands, the malware sleeps for random intervals (between 45 and 60 seconds), making it invisible to sandboxes that only monitor for 30 seconds.
It frequently uses XOR or AES encryption for its configuration files and communication, making signature-based detection difficult.
XWorm 3.1 is a sophisticated used by cybercriminals to gain unauthorized control over victim machines. It is often delivered via phishing campaigns using malicious PDFs or scripts that abuse legitimate Windows tools. The core features of XWorm 3.1 include: System Control & Monitoring
: A widespread campaign using the subject line "Facturas pendientes de pago" ("Outstanding Invoices") distributed XWorm through .xlam Office files. The attachments contained hidden shellcode that downloaded and executed the malware through reflective DLL injection.