3.1 - Xworm

The malware connects to C2 servers over direct TCP connections, often using dynamic DNS domains to maintain flexibility and evade takedown efforts. For example, one XWorm 3.1 sample was observed communicating with david1234.duckdns.org on port 7000. Additional IOCs include domains like kribyrisk.com and IP addresses on non-standard ports.

: XWorm drops a self-copy in the %Appdata% folder named svchost.exe , mimicking a legitimate Windows system process to blend in with normal system activity.

Anatomy of a Cyber Threat: Deep Dive into the XWorm 3.1 RAT Remote Access Trojans (RATs) remain one of the most pervasive and dangerous threats in the modern threat landscape. Among the myriad of tools utilized by threat actors, has garnered significant attention in cybersecurity circles. Operating as a highly sophisticated, multi-functional RAT, it provides cybercriminals with extensive remote control capabilities over compromised systems.

XWorm logs all keystrokes, enabling the theft of passwords, private messages, and other sensitive credentials. 3. Data Theft and Exfiltration xworm 3.1

Once the connection is established, XWorm sends system information to the C2 server and awaits commands. The server responds using HTTP GET requests, enabling the attacker to issue real-time instructions.

: The designated file identity used during worm-like horizontal propagation (e.g., USB.exe ). The Infection Chain: From Phishing to Execution

: Leveraging loaders like GuLoader or custom PowerShell scripts to decrypt and inject the XWorm payload directly into memory (Process Hollowing). 2. Evasion and Anti-Analysis The malware connects to C2 servers over direct

: Silently records all keystrokes to steal passwords, financial information, and personal messages.

Before executing its primary malicious functions, XWorm 3.1 is known to deploy routines explicitly designed to disable local security protections. Analysis of samples reveals that the malware attempts to cripple Windows Defender, tampering with real-time monitoring and cloud-based protection to evade immediate detection. 2. Remote Desktop and Surveillance

XWorm remains a persistent and evolving threat in 2026, showing no signs of slowing down. It is actively distributed in large-scale phishing campaigns, with multiple variants continuing to circulate. : XWorm drops a self-copy in the %Appdata%

XWorm is a malicious remote access trojan written in .NET (C#). Version 3.1 is one of the publicly released builds, offering a range of invasive functionalities to an attacker controlling a command-and-control (C2) server.

[Phishing / Exploit (Follina)] ➔ [Obfuscated .NET Loader] ➔ [Process Hollowing (RegSvcs.exe)] ➔ [XWorm 3.1 Core RAT Engine] 📂 The XWorm 3.1 Infection Lifecycle

Once executed (typically svchost.exe or a random named process in %AppData% ), the payload decrypts its embedded configuration and begins beaconing.