This sophisticated malware has evolved far beyond traditional RAT capabilities, incorporating advanced features including keylogging, remote desktop access, data exfiltration, and command execution that make it particularly attractive to threat actors seeking comprehensive system control. Unlike conventional malware that relies on fixed infection chains, XWorm leverages PowerShell scripts, VBS files, .NET executables, JavaScript, batch scripts, and even Office macros as initial attack vectors. The malware specifically targets the AmsiScanBuffer() function within the amsi.dll library, effectively disabling the Antimalware Scan Interface that allows security software to scan scripts and content in memory before execution. The threat research community has documented XWorm’s sophisticated evasion techniques, with Splunk researchers noting the malware’s ability to patch critical Windows security features. Recent campaigns have shown XWorm targeting organizations within the software supply chain and gaming industry, with attackers deploying both AsyncRAT and XWorm as initial-stage malware to establish persistent footholds. Analysis of over 1,000 XWorm samples from Malware Bazaar revealed recurring phishing themes centered around invoices, receipts, and delivery notifications designed to appear urgent and business-critical. This comprehensive approach to system manipulation represents a significant evolution in RAT capabilities, requiring equally sophisticated detection and mitigation strategies from security teams. The malware has demonstrated remarkable adaptability in its delivery mechanisms, employing a dynamic approach that cycles through multiple file formats and scripting languages to evade detection. The malware achieves persistence through multiple vectors, including registry run keys and scheduled tasks that reference VBS scripts and batch files dropped in the %appdata% directory. Splunk analysts identified that these operations often culminate in ransomware deployment using leaked LockBit Black builder tools, linking XWorm activities to broader ransomware ecosystems. Simultaneously, XWorm deploys a second evasion mechanism targeting Event Tracing for Windows (ETW) by patching the EtwEventWrite() function. The infection chain demonstrates remarkable sophistication in its use of process injection techniques, specifically targeting legitimate Windows processes including Taskmgr, explorer, and svchost. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. XWorm has emerged as one of the most versatile and actively distributed remote access trojans in the current threat landscape, establishing itself as a formidable tool in cybercriminals’ arsenals. XWorm’s most concerning capability lies in its multi-layered approach to evading Windows security mechanisms. The malware deploys specialized components that systematically disable key monitoring and detection systems through direct memory manipulation. XWorm injects shellcode into these processes while simultaneously hooking various Windows APIs to hide its presence and maintain stealth operations. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 05 Jul 2025 11:30:14 +0000