The Reveal Platform
XWorm is a feature-rich Remote Access Trojan (RAT) that has been actively used by cybercriminals since at least 2022. Widely distributed through underground forums and malware-as-a-service ecosystems, XWorm remains popular due to its ease of use, modular design, and extensive post-compromise capabilities. It supports credential theft, keylogging, webcam access, surveillance, DDoS operations, and even ransomware deployment through plugins.
This blog presents a technical analysis of an XWorm v7 campaign observed in the wild. The analysis covers the full infection lifecycle—from phishing-based initial access to in-memory execution, command-and-control (C2) communication, and the modular plugin framework—highlighting the techniques used to evade detection and maintain persistent access.
The XWorm v7 infection chain is a multi-stage process that minimizes on-disk artifacts by creating a legitimate Windows process in a suspended state and performing process hollowing to inject and execute the XWorm payload in memory.
The attack begins with a phishing email crafted to appear as a legitimate payment confirmation. The email prompts the recipient to verify order and shipping details, enticing them to open the attached ZIP archive named Swift_4200_19_01_2026.xxe.
Once extracted, the archive contains a malicious JavaScript file that serves as the initial loader.
After extraction, the ZIP file exposes a malicious JavaScript file that functions as a loader when executed.
The extracted JavaScript file (Swift_4200_19_01_2026.js) establishes persistence by copying itself into the current user’s Windows Startup directory ( %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup ). This ensures execution on every user logon.
The script dynamically constructs an obfuscated PowerShell command using string manipulation and Base64 decoding to evade static detection. PowerShell is launched with -NoProfile and -WindowStyle Hidden options and is executed via Windows Management Instrumentation (WMI), resulting in powershell.exe running as a child of WmiPrvSE.exe. This parent-child relationship is a deliberate defense-evasion technique aimed at reducing user visibility and bypassing basic behavioral monitoring.
A short execution delay is introduced to further evade sandbox-based analysis. The decoded PowerShell payload is reconstructed entirely in memory and used to download the next-stage components.
The PowerShell script downloads two external resources from attacker-controlled infrastructure:
A file named optimized_MSI_lpsd9p.jpg is retrieved from a public image-hosting service. This is not traditional steganography; instead, a Base64-encoded DLL payload is appended to the end of the JPEG file. The embedded data is delimited by custom markers: BaseStart- and -BaseEnd.
A text file (us.txt) is downloaded from a secondary URL. This file contains the Base64-encoded XWorm payload along with execution configuration data. The URL itself is also Base64-encoded within the PowerShell script.
After decoding, the configuration instructs the loader to download the payload, save it to C:\\Users\\Public\\Downloads\\ under a dynamically generated filename, and prepare it for execution.
To avoid writing a traditional executable to disk, the DLL injects the XWorm payload into a newly spawned MSBuild.exe process using process hollowing.Since MSBuild.exe is a legitimate and trusted Windows binary, this technique enables the malware to execute filelessly while evading detection.
Following successful execution, XWorm initializes its core components, extracts its configuration data, and establishes an encrypted TCP connection to its command-and-control (C2) server. At this stage, the RAT begins system profiling, surveillance, and awaits operator instructions.
During startup, XWorm extracts its embedded configuration, which includes the malware version, C2 address, port number, and a shared secret key (SETTINGS.KEY). All C2 communication occurs over TCP and is encrypted using AES in ECB mode.
The encryption key is generated at runtime by computing the MD5 hash of SETTINGS.KEY. While AES-ECB is cryptographically weak due to its lack of an initialization vector and pattern leakage, it is sufficient to evade casual inspection and basic signature-based network monitoring.
To ensure only a single instance runs on the victim system, XWorm creates a mutex named Ah95HVwxbUtq56pf. If the mutex already exists, execution is aborted.
XWorm installs a low-level keyboard hook using WH_KEYBOARD_LL, enabling it to capture keystrokes across all active applications. This allows the malware to harvest sensitive information such as usernames, passwords, and other typed data, which is cached locally for later exfiltration.
The `LastAct()` function runs as an infinite background routine within XWorm RAT.
The malware continuously monitors user activity through an internal routine that tracks keyboard and mouse idle time at one-second intervals. This enables the operator to determine when the system is active or idle, potentially allowing malicious actions to be timed to reduce the risk of user detection.
XWorm gathers extensive host information during its initial reconnaissance phase, including:
This intelligence allows the operator to assess the victim’s security posture and tailor follow-on actions accordingly.
XWorm exposes a comprehensive command set that enables full remote control of compromised systems. Key command categories include:
XWorm’s functionality is heavily extended through a modular plugin framework. When the C2 issues a plugin command, it includes the SHA-256 hash of the required plugin DLL. The client checks whether the plugin is already present; if not, it requests the plugin using a sendplugin command.
Upon receipt, the plugin is decoded and loaded directly into memory. XWorm then uses reflection to invoke specific exported methods, including:
This reflective loading mechanism allows operators to rapidly extend capabilities without redeploying the core malware, significantly complicating detection and remediation.
Observed plugins include:
The extracted data is concatenated into a string and sent to the C2 server along with Client ID. Client ID is generated using ProcessorCount, UserName, MachineName and OSVersion.
Once the XWorm client successfully connects to the C2 server, all further communication is handled through a command-based protocol over TCP. The C2 server sends specific commands to the infected client, and the client responds using the same TCP channel.
To protect this communication, XWorm encrypts transmitted commands using the AES encryption algorithm in ECB mode. The encryption key is not hardcoded; instead, it is generated at runtime by computing the MD5 hash of the “SETTINGS.KEY” value extracted from the configuration data.
However, the use of AES in ECB mode is weak from a cryptographic perspective, as it does not use an initialization vector and can reveal data patterns. Despite this weakness, the encryption is sufficient to evade basic signature-based network monitoring and casual inspection.
| Tactic | Technique ID | Technique Name | Observed Activity |
| Initial Access | T1566.001 | Phishing: Attachment | Phishing email delivers a malicious ZIP file containing a JS (loader) |
| Execution | T1059.007 | Command and Scripting Interpreter: JavaScript | Malicious JavaScript file used as the initial loader |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell | Obfuscated PowerShell executed in memory using ‘-NoProfile’ and hidden window |
| Execution | T1047 | Windows Management Instrumentation | PowerShell launched via WMI (‘WmiPrvSE.exe’) |
| Persistence | T1547.001 | Boot or Logon Autostart: Registry Run Keys / Startup Folder | JS file copied to Windows Startup folder |
| Defense Evasion | T1027 | Obfuscated Files or Information | PowerShell command built using string manipulation and Base64 decoding |
| Defense Evasion | T1055.012 | Process Injection: Process Hollowing | Payload injected into a suspended msbuild.exe process and executed after memory replacement |
| Defense Evasion | T1070 | Indicator Removal | Payload executed without dropping a standard executable |
| Credential Access | T1056.001 | Input Capture: Keylogging | Low-level keyboard hook (‘WH_KEYBOARD_LL’) used for keystroke logging |
| Discovery | T1082 | System Information Discovery | OS version, RAM, CPU, GPU, admin rights collected |
| Discovery | T1518.001 | Software Discovery: Security Software | Antivirus products enumerated via WMI |
| Discovery | T1124 | System Time Discovery | User activity and idle time monitored |
| Collection | T1113 | Screen Capture | Screenshot and thumbnail capture via ‘$Cap’ command |
| Command and Control | T1071 | Application Layer Protocol | C2 communication over TCP |
| Command and Control | T1573 | Encrypted Channel | C2 traffic encrypted using hash of ‘Settings.KEY’ |
| Command and Control | T1105 | Ingress Tool Transfer | Plugins and payloads downloaded from C2 |
| Impact | T1499 | Endpoint Denial of Service | DDoS commands supported (‘StartDDos’, ‘StopDDos’) |
| Impact | T1529 | System Shutdown/Reboot | System shutdown, restart, and logoff commands |
| IOC | FileName |
| de7d74d374a4422c5084280ff71f7942d61f35c271df7d5af01bdd756d0f630b | Swift _4200_19_01_2026.js |
| 3f4c3c16f63fb90d1fd64b031d8a9803035f3cb18332e198850896881fb42fe5 | optimized_MSI_lpsd9p.jpg |
| c3bfedae725f159691c203d1f0cdbb9a5cf42777e3d681f923e83e1d1bc74c0f | us.txt |
| 4140d26ecad2fd8a3ea326ee49f5dd8bda3696e0d1ae6e756db6d61d70bf3af4 | Microsoft.Win32.TaskScheduler.dll |
| eacd8e95ead3ffe2c225768ef6f85672c4bfdf61655ed697b97f598203ef2cf6 | XWormClient.exe |
| URL’s |
| hxxps://res[.]cloudinary[.]com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg |
| hxxps://pub-3bc1de741f8149f49bdbafa703067f24[.]r2[.]dev/us.txt |
| C2 Server |
| 158[.]94[.]209[.]180 |
Gurucul’s Unified Security and Risk Analytics platform provides multiple layers of detection and response capabilities that are well-aligned to the techniques leveraged by XWorm v7. By combining behavior-based analytics, UEBA, and advanced threat detection, Gurucul enables security teams to identify early-stage intrusion activity and post-compromise behaviors through correlated endpoint, identity, and network analytics that traditional signature-based controls often miss.
XWorm relies heavily on abnormal process relationships, user behavior anomalies, and misuse of legitimate system utilities. Gurucul UEBA continuously baselines normal user and host behavior and can detect:
These behaviors generate risk signals that are aggregated into a contextual risk score, allowing analysts to prioritize investigation of high-risk entities.
Gurucul threat models aligned with the MITRE ATT&CK framework can directly map XWorm techniques such as Phishing Attachment (T1566.001), Signed Binary Proxy Execution (T1218.005), Keylogging (T1056.001), and Encrypted C2 Channels (T1573). This alignment enables security teams to quickly understand attacker intent and identify gaps across the attack lifecycle.
XWorm’s abuse of trusted Windows binaries such as PowerShell, WMI, and MSBuild is a classic living-off-the-land (LOLBins) technique. Gurucul correlates command-line telemetry, process execution context, and network behavior to detect misuse of these binaries, even when no malicious executable is dropped on disk.
Even though XWorm encrypts its C2 traffic, Gurucul can identify suspicious outbound connections through:
These signals help surface covert C2 channels that evade traditional network security tools.
Rather than generating isolated alerts, Gurucul aggregates multiple weak signals—process anomalies, persistence behaviors, credential access activity, and data exfiltration—into a single risk-based alert. This reduces alert fatigue and provides analysts with clear, actionable context for rapid investigation and response.
By leveraging behavior-driven analytics and continuous risk scoring, Gurucul enables customers to detect, investigate, and respond to sophisticated RAT activity such as XWorm v7 early in the attack chain, significantly reducing dwell time and potential impact.
XWorm v7 demonstrates how modern commodity RATs continue to evolve by combining social engineering, living-off-the-land binaries, fileless execution, and modular plugin-based architectures. Despite relying on relatively simple cryptography, its operational tradecraft is sufficient to evade many traditional defenses.
Defenders should closely monitor anomalous parent-child process relationships (such as WMI-spawned PowerShell), abuse of MSBuild, and network connections originating from trusted Windows utilities. The continued prevalence of XWorm underscores the importance of layered detection strategies that go beyond signature-based controls.
Contributors:
Pandurang Terkar
Rudra Pratap
