New variants of the XWorm remote access trojan (RAT) are being distributed in phishing campaigns after its original developer, known as XCoder, abandoned the project last year.
The latest versions, identified as XWorm 6.0, 6.4, and 6.5, have been adopted by multiple cybercriminal groups and now include plugin support that enables a wide range of malicious activities such as data theft, remote desktop control, and ransomware attacks.
XWorm first emerged in 2022 and quickly gained a reputation as a powerful and flexible malware due to its modular architecture. It was primarily used to steal sensitive data, including passwords, crypto wallets, and financial information, as well as to launch distributed denial-of-service (DDoS) attacks and download other malware. After XCoder deleted their Telegram channels and disappeared, cracked versions of the malware began circulating among threat actors, leading to widespread use and further modification of the code.
Researchers at cybersecurity firm Trellix have observed a recent surge in XWorm activity, noting that since June, there has been a sharp increase in samples uploaded to VirusTotal. The infection methods have also evolved, with attackers now using phishing emails, malicious JavaScript and PowerShell scripts, and Excel-based (.XLAM) payloads that can bypass standard antivirus protections. In some cases, the malware disguises itself as legitimate applications such as Discord, combining social engineering tactics with advanced technical methods for greater success.
The latest XWorm variants feature over 35 plugins, expanding the malware’s capabilities beyond data theft to full ransomware operations. One of the modules, named Ransomware.dll, encrypts files in the victim’s Documents and user folders, adds a .ENC extension, and drops an HTML ransom note on the desktop containing payment instructions and a Bitcoin address. Researchers also found code similarities between XWorm’s ransomware module and the NoCry ransomware discovered in 2021, suggesting shared development roots or code reuse within the cybercriminal ecosystem.
Additional plugins give attackers control over the victim’s system, including modules for remote desktop access, file management, webcam recording, and information gathering from browsers, email clients, messaging apps, and crypto wallets. These features make XWorm a versatile and dangerous threat capable of both espionage and extortion.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Security experts recommend organizations adopt a multi-layered defense strategy combining endpoint detection and response (EDR) tools, email and web protection systems, and network monitoring to detect and block malicious communications. The rise of XWorm’s new versions highlights how abandoned malware projects can quickly evolve into powerful tools in the hands of cybercriminals, underscoring the need for constant vigilance and updated cybersecurity defenses.
