The Reveal Platform
Intel Name: Xworm’s evolving infection chain: from predictable to deceptive
Date of Scan: September 4, 2025
Impact: Medium
Summary: The XWorm backdoor campaign has shifted from predictable delivery methods to more sophisticated, deceptive techniques. While it still uses phishing emails and .lnk files for initial access, it now disguises malicious executables with legitimate-looking names like ‘discord.exe’. This new multi-stage infection chain uses PowerShell commands to drop and execute hidden payloads, culminating in the deployment of XWorm via ‘system32.exe’. The campaign combines social engineering and technical evasion to improve stealth and persistence.
