3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
XWorm

XWorm

ID: 2f2ce2f96b8f4264e72cedfd03572a3381555
Crimeware RAT Spyware/Stealer
Threat types: Malware, Remote Access Trojan, MaaS, Ransomware
Unknown DEU
Updated: 2026-03-30
Created: 2026-02-26
Progress: 84% Completeness: 82% Freshness: 90%
Operation zone: Germany
Aliases Limited alias preview
XWorm RAT
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

XWorm is a modular MaaS-style Remote Access Trojan ecosystem active since ~2022, sold via underground channels and used across diverse campaigns. It supports remote control, credential and crypto wallet theft, keylogging, clipboard monitoring, and plugin-based extensibility (including in-memory DLL plugins). Recent reporting documents evolving delivery chains: phishing campaigns with document exploitation (e.g., Excel CVE-2018-0802 leading to HTA staging), shellcode-based multi-stage loaders with injection, and v6.0 enhancements including AMSI bypass and anti-analysis features. Persistence commonly includes Run key and Startup folder techniques. Due to multi-operator usage, defenders should prioritize behavior-first detections, time-bounded IOC operations, and campaign clustering rather than single-actor attribution. Late-2025 operator release notes for versions 7.1-7.3 additionally suggest active commercial upkeep and feature work around UAC control/bypass, credential-recovery modules, plugin refurbishment, and a maintained ransomware component; these claims should be treated as version-scoped and marketing-influenced until independently reversed.


Technique Technique name Tactics Evidence
T1566.001 Spearphishing Attachment TA0001
  • 2026-02-10 — Phishing emails delivering malicious Excel attachments are described. · ref
T1203 Exploitation for Client Execution TA0002
  • 2026-02-10 — Excel exploit (CVE-2018-0802) is used to trigger code execution. · ref
T1218.005 Mshta TA0005
  • 2026-02-10 — HTA stage execution is described as part of the chain (mshta usage implied). · ref
T1055 Process Injection TA0004 TA0005
  • 2025-09-26 — Reflective/injection behavior in shellcode-based chain is described. · ref
T1071.001 Web Protocols TA0011
  • 2021-11-01 — C2 via network connection to DDNS host is shown in sandbox report. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • 2021-11-01 — Run key persistence (HKCU Run) and Startup folder drop are shown. · ref
T1056.001 Keylogging TA0006 TA0009
  • 2025-02-25 — Keylogging capability described in CTI advisory context. · ref
T1125 Video Capture TA0009
  • 2025-02-25 — Webcam capture capability described in CTI advisory context. · ref
T1123 Audio Capture TA0009
  • 2025-02-25 — Audio capture capability described in CTI advisory context. · ref
T1105 Ingress Tool Transfer TA0011
  • 2025-10-02 — Plugin mechanism enabling additional payload execution in memory is described. · ref
T1059.003 Windows Command Shell TA0002
  • 2025-10-02 — Operator command execution via Windows command shell is discussed (campaign behaviors). · ref
T1548.002 Bypass User Account Control TA0004 TA0005
  • 2025-11-10 — XWorm v7.1 release notes advertise “Clean UAC Control.” Treat as version-scoped capability claim pending independent reverse engineering. · ref
  • 2025-12-22 — XWorm v7.3 release notes advertise “UAC ReFUDED – Enhanced bypass capabilities.” Treat as version-scoped capability claim pending independent reverse engineering. · ref
T1486 Data Encrypted for Impact TA0040
  • 2025-12-22 — XWorm v7.3 release notes state “Ransomware Fixed – Critical stability and performance fixes,” indicating a maintained encryption-for-impact component. Treat as a product-capability signal, not blanket campaign prevalence. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-19T21:17:02+00:00

XWorm

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — XWorm


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — XWorm (Modular RAT Ecosystem)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-26T04:31:16+00:00

IOC Appendix — XWorm (Operational Seed Set)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-26T04:32:10+00:00

OSINT Library — XWorm


2026-02-10 — Fortinet FortiGuard Labs — “Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/3
Address Verification SOCMINT
t.me/XWo**** Restricted Not integrated
t.me/+iT************** Restricted Not integrated
t.me/+sP************** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.