In the constantly evolving world of cyber threats, staying informed is not just an advantage; it’s a necessity. First observed in 2022, XWorm quickly gained notoriety as a highly effective malware, providing cybercriminals with a versatile toolkit for malicious activities.
XWorm’s modular design is built around a core client and an array of specialized components known as plugins. These plugins are essentially additional payloads designed to carry out specific harmful actions once the core malware is active.
This modularity allows attackers to use XWorm’s capabilities for various objectives, ranging from data theft and system control to persistent surveillance.
Understanding these plugins is crucial for both cybersecurity professionals safeguarding their organizations and customers of cybersecurity products seeking to enhance their protection against such prevalent threats.
Trellix ARC has been closely observed XWorm’s evolution, including its recent resurgence. In this blog, we’ll go beyond the surface to explore a campaign deploying XWorm V6.0 and, more importantly, dissect the key plugins and additional payloads, including a script for persistence.
From Abandonment to Chaos
XWorm’s development, led by “XCoder,” saw regular updates shared via Telegram. During late 2024, after the release of XWorm V5.6, XCoder deleted their account, ending official support and leaving V5.6 as the presumed final version.
In the aftermath, threat actors distributed cracked V5.6 builders laced with trojans that infected unwitting operators. Reports by CloudSEK and DMPdump detail trojanized builders and modified distributions, while a Chinese-language offshoot named XSPY emerged.
An additional blow came from the disclosure of a critical remote code execution vulnerability in V5.6, enabling attackers with the C2 encryption key to execute arbitrary code—an exploit verified in labs.
Believing XWorm dead, many professionals turned attention elsewhere, but malware retirement is seldom permanent.
On June 4, 2025, hackforums.net saw a post from “XCoderTools” announcing XWorm V6.0, claiming fixes for the RCE flaw and other enhancements.
Skepticism ran high: Was XCoderTools the true author or an opportunist riding XWorm’s reputation? Two Telegram channels—one for updates, one for discussion—surfaced but were repeatedly banned, driving operators to mirror on Signal.
Community videos showcase new features, yet the legitimacy of V6.0 remains under scrutiny. Since its release, VirusTotal detections of XWorm V6.0 have surged, underscoring rapid threat actor adoption.
Infection Chain and Plugin Arsenal
A prominent V6.0 campaign begins with a malicious JavaScript file that downloads and executes a PowerShell script while displaying a benign PDF decoy.
The PowerShell component disables AMSI to avoid detection, fetches the XWorm client and a DLL injector, and prepares them for stealthy deployment.
The injector embeds XWorm’s code into legitimate Windows programs like RegSvcs.exe, enabling covert execution.
Once active, the client connects to C2 at 94[.]159[.]113[.]64:4411 using a new default key (“<666666>” vs. “<123456789>” in V5.6). Core functionality echoes V5.6, but V6.0 introduces ILProtector-packed plugins that load from registry entries under HKCUSOFTWARE
Operators issue “plugin” commands by SHA-256 hash; missing plugins trigger a “sendplugin” workflow. Loaded plugins support remote desktop, credential theft, file management, shell execution, startup enumeration, TCP control, webcam streaming, and ransomware.
Notable payloads include RemoteDesktop.dll, Stealer.dll, FileManager.dll, Shell.dll, and ransomware.dll. The latter encrypts files with AES-CBC keyed by a SHA-512 hash of the client ID, drops ransom notes and wallpapers, and sets registry flags for tracking encryption status.
Decryption mirrors this process. V6’s plugin count exceeds 35, with additional modules for rootkit installation and factory-reset persistence in leaked V6.4 builders.
Persistence and Evolving Threat
Persistence scripts delivered via VBS or .wsf files create scheduled tasks, registry run keys, and even ResetConfig.xml for push-button resets to survive reinstalls.
Operators leverage four distinct persistence methods ranging from logon scripts to admin-level factory reset hooks.
Cracked V6 builders further distribute infected builders, highlighting a self-propagating risk where builders themselves harbor malware.
XWorm V6’s return underscores that no malware threat ever truly retires. Its modular plugin architecture and advanced injection techniques demand defenses beyond signature-based prevention.
A multi-layered posture is essential: endpoint detection and response to catch anomalous process injections; proactive email and web gateways to block initial droppers; and continuous network monitoring to spot C2 communications. In this dynamic threat landscape, agile, behavior-focused security platforms are imperative to stay one step ahead of adversaries.
IOC
Here is the data presented in tabular form:
| SHA256 | Name |
|---|---|
| 995869775b9d43adeb7e0eb34462164bcfbee3ecb4eda3c436110bd9b905e7ba | OSHA_Investigation_Case_0625OQI685837AW.pdf.js |
| 4ce4dc04639d673f0627afc678819d1a7f4b654445ba518a151b2e80e910a92c | payload_1.ps1 |
| 8514a434b50879e2b8c56cf3fd35f341e24feae5290fa530cc30fae984b0e16c | ClassLibrary7.dll |
| 570e4d52b259b460aa17e8e286be64d5bada804bd4757c2475c0e34a73aeb869 | XWormClient.exe |
| 000185a17254cd8863208d3828366ec25ddd01596f18e57301355d4a33eac242 | RunShell.exe |
| 4d225af71d287f1264f3116075386ac2ce9ee9cd26fb8c3a938c2bf50cca8683 | 000053AB01136548.wsf |
| 760a3d23ee860cf2686a3d0ef266e7e1ad835cc8b8ce69bfe68765c247753c6b | 00001EF600EEBD20.wsf |
| 8106b563e19c946bd76de7d00f7084f3fc3b435ed07eb4757c8da94c89570864 | win32.exe |
| 1990659a28b2c194293f106e98f5c5533fdad91e50fdeb1a9590d6b1d2983ada | chrome_decrypt.dll |
| d46bb31dc93b89d67abffe144c56356167c9e57e3235bfb897eafc30626675bb | ChromiumDecryption |
| f279a3fed5b96214d0e3924eedb85907f44d63c7603b074ea975d1ec2fdde0b4 | WindowsUpdate.dll |
| 31376631aec4800de046e1400e948936010d9bbedec91c45ae8013c1b87564d0 | RemoteDesktop.dll |
| 5123b066f4b864e83bb14060f473cf5155d863f386577586dd6d2826e20e3988 | RemoteDesktop.dll |
| b314836a3ca831fcb068616510572ac32e137ad31ae4b3e506267b429f9129b1 | FileManager.dll |
| 5314c7505002cda1e864eced654d132f773722fd621a04ffd84ae9bc0749b791 | TCPConnections.dll |
| 33ee1961e302da3abc766480a58c0299b24c6ed8ceeb5803fa857617e37ca96e | merged.dll |
| 2b507d3ae01583c8abf4ca0486b918966643159a7c3ee7adb5f36c7bd2e4d70e | SystemCheck.Merged.dll |
| df0096bd57d333ca140331f1c0d54c741a368593a4aac628423ab218b59bd0bb | shell.dll |
| 0c2bf36dd9ccb3478c8d3dd7912bcfc1f5d910845446e1adfd1e769490287ab4 | Stealer.dll |
| 64cbbbf90fe84eda1a8c2f41a4d37b1d60610e7136a02472a72c28b6acadc2fc | Ransomware.dll |
| 6a0c1f70af17bd9258886f997bb43266aa816ff24315050bbf5f0e473d059485 | Rootkit.dll |
| 8d04215c281bd7be86f96fd1b24a418ba1c497f5dee3ae1978e4b454b32307a1 | ResetSurvival.dll |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
