All news with #xworm tag

Wed, October 15, 2025

PhantomVAI Loader Delivers Multiple Infostealers Worldwide

#Infostealer #AsyncRAT #FormBook #XWorm #Katz Stealer

🛡️The Unit 42 report details a multi-stage phishing campaign that leverages heavily obfuscated JavaScript/VBS and PowerShell to load a C# .NET loader named PhantomVAI, which hides DLL payloads inside image files via steganography. The loader's VAI routine performs virtual-machine detection, establishes persistence (scheduled tasks, wscript, Run keys) and retrieves payloads by process hollowing into legitimate host processes. Observed final payloads include Katz Stealer, AsyncRAT and FormBook. Palo Alto Networks' Advanced WildFire, Cortex XDR and XSIAM have updated protections and indicators of compromise.

Tue, October 7, 2025

XWorm 6.0 Returns with 35+ Plugins and Enhanced Theft

#Trellix #XWorm #Ransomware #Remote Access Trojan #Data Leak

🛡️ Trellix researchers detail the return of XWorm 6.0, a modular Windows malware now supporting more than 35 in‑memory DLL plugins and expanded data-theft and persistence capabilities. The actor associated with earlier releases, known as XCoder, is of uncertain status, but v6.0—advertised on forums in June 2025—appears to address a prior RCE flaw while enabling credential theft, keylogging, screen capture, and optional ransomware. Campaigns use phishing, malicious JavaScript, LNK-based PowerShell chains, and process injection to evade detection and execute plugins directly in memory.

Mon, October 6, 2025

XWorm Backdoor Returns with Ransomware and 35+ Plugins

#Ransomware #Backdoor Found #Data Exfil via Tools #XWorm

🛡️ New variants of the XWorm backdoor (6.0, 6.4, 6.5) are being distributed via phishing campaigns after the original author, XCoder, abandoned the project. Multiple operators have adopted these builds, which now support more than 35 plugins enabling data theft, remote control, and a ransomware module that encrypts user files and drops HTML ransom notes. Trellix observed diverse droppers and recommends layered defenses including EDR, email/web protections, and network monitoring.

Fri, September 12, 2025

Novel LOTL and File-Based Evasion Techniques Rising

#Threat Report #Living-Off-The-Land #Lumma Stealer #XWorm #Data Exfil via Tools

🔍The Q2 2025 HP Wolf Threat Insights Report describes how threat actors are increasingly chaining living‑off‑the‑land (LOTL) tools and abusing uncommon file types to evade detection. Attackers hide final payloads inside images or use tiny SVGs that mimic legitimate interfaces, then execute code via native Windows processes like MSBuild. These methods leverage trusted sites and native binaries to bypass filters and complicate incident response.