SYMBOLCOMMON_NAMEaka. SYNONYMS
win.xworm (Back to overview)

XWorm

Malware with wide range of capabilities ranging from RAT to ransomware.

References
2025-03-06Medium SarvivaMalwareAnalystsarviya
XWorm Attack Chain: Leveraging Steganography from Phishing Email to Keylogging via C2 Communication
XWorm
2025-02-12cyber.wtf blogHendrik Eckardt, Leonard Rapp
Unpacking Pyarmor v8+ scripts
AsyncRAT DCRat XWorm
2025-02-12Red CanaryPhil Hagen, Tony Lambert
Defying tunneling: A Wicked approach to detecting malicious network traffic
AsyncRAT DCRat NjRAT XWorm
2024-12-06Github (VenzoV)VenzoV
Shellcode Loader Delivering XWorm
XWorm
2024-11-28Hunt.ioHunt.io
Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
XWorm
2024-09-12kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] The Xworm malware is being spread through a phishing email
XWorm
2024-07-26SecurityIntelligenceGolo Mühr, Joe Fasulo
Hive0137 and AI-supplemented malware distribution
WarmCookie XWorm Hive0137
2024-07-16Sentinel LABSJim Walter
NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI
AsyncRAT LockBit XWorm Nullbulge
2024-05-14Check Point ResearchAntonis Terefos, Tera0017
Foxit PDF “Flawed Design” Exploitation
Rafel RAT Agent Tesla AsyncRAT DCRat DONOT Nanocore RAT NjRAT Pony Remcos Venom RAT XWorm
2024-04-15Positive TechnologiesAleksandr Badaev, Kseniya Naumova
SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world
LokiBot 404 Keylogger Agent Tesla CloudEyE Formbook Remcos XWorm
2024-03-27Twitter (@embee_research)Embee_research
Uncovering Malicious Infrastructure with DNS Pivoting
LokiBot XWorm
2024-03-11YouTube (Embee Research)Embee_research
Xworm Script Analysis and Deobfuscation
XWorm
2024-02-22Medium b.magnezi0xMrMagnezi
Malware Analysis - XWorm
XWorm
2024-02-01YouTube (Embee Research)Embee_research
Xworm Malware Analysis - Unravelling Multi-stage Malware with CyberChef and DnSpy
XWorm
2024-02-01Hunt.ioHunt.io
The Accidental Malware Repository: Hunting & Collecting Malware Via Open Directories (Part 1)
XWorm
2023-11-21ANY.RUNIgal Lytzki
XWorm Malware: Exploring C&C Communication
XWorm
2023-10-24CERT.PLJarosław Jedynak
Malware stories: Deworming the XWorm
XWorm
2023-09-08Gi7w0rm
Uncovering DDGroup — A long-time threat actor
AsyncRAT Ave Maria BitRAT DBatLoader NetWire RC Quasar RAT XWorm
2023-08-24ANY.RUNElectron, glebyao, kinoshi
XWorm: Technical Analysis of a New Malware Version
XWorm
2023-08-23Twitter (@embee_research)Embee_research, Huntress Labs
Extracting Xworm from Bloated Golang Executable
XWorm
2023-08-01Palo Alto Networks Unit 42Lior Rochberger
NodeStealer 2.0 – The Python Version: Stealing Facebook Business Accounts
BitRAT NodeStealer XWorm
2023-05-12SecuronixDen Iyzvyk, Oleg Kolesnikov, Tim Peck
Ongoing MEME#4CHAN Attack/Phishing Campaign uses Meme-Filled Code to Drop XWorm Payloads
XWorm
2023-04-07ElasticSalim Bitam
Attack chain leads to XWORM and AGENTTESLA
Agent Tesla XWorm
2023-03-30loginsoftSaharsh Agrawal
From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm
2023-02-02YouTube (Embee Research)Embee_research
Xworm Loader Analysis - Decoding Malware Scripts and Extracting C2's with DnSpy and CyberChef
XWorm
2022-08-19cybleCyble
EvilCoder Project Selling Multiple Dangerous Tools Online
XWorm
Yara Rules
[TLP:WHITE] win_xworm_w0 (20240730 | Detects win.xworm.)
rule win_xworm_w0 {

    meta:
        author = "jeFF0Falltrades"
        date = "2024-07-30"
        version = "1"
        description = "Detects win.xworm."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm"
        malpedia_rule_date = "20240730"
        malpedia_hash = ""
        malpedia_version = "20240730"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $str_xworm = "xworm" wide ascii nocase
        $str_xwormmm = "Xwormmm" wide ascii
        $str_xclient = "XClient" wide ascii
        $str_xlogger = "XLogger" wide ascii
        $str_xchat = "Xchat" wide ascii
        $str_default_log = "\\Log.tmp" wide ascii
        $str_create_proc = "/create /f /RL HIGHEST /sc minute /mo 1 /t" wide ascii 
        $str_ddos_start = "StartDDos" wide ascii 
        $str_ddos_stop = "StopDDos" wide ascii
        $str_timeout = "timeout 3 > NUL" wide ascii
        $byte_md5_hash = { 7e [3] 04 28 [3] 06 6f }
        $patt_config = { 72 [3] 70 80 [3] 04 }

    condition:
        5 of them and #patt_config >= 5
 }
Download all Yara Rules