3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
XCoder

XCoder

ID: 54c9fa95a098d89fb0e9e17dd7e1a98820621
Cybercrime Cybercriminal Malware Dev
Threat types: Malware, MaaS, Intrusion
Unknown
Updated: 2026-03-29
Created: 2026-03-19
Progress: 79% Completeness: 74% Freshness: 90%
Operation zone:
Aliases Limited alias preview
X Coder XcoderTools
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

XCoder is the public handle associated with the original development and sale of the XWorm remote access trojan. Later reporting linked the revived XWorm line to a related or successor persona, XCoderTools, but continuity between the two identities remains unresolved.


Technique Technique name Tactics Evidence
T1587.001 Malware TA0042
  • 2025-10-02 — Public vendor reporting described XCoder as the original developer leading XWorm development before the project went inactive in late 2024. · ref
  • 2025-10-08 — UV Cyber characterized XWorm as a commodity RAT developed in .NET by a creator known as XCoder. · ref
T1588.001 Malware TA0042
  • 2025-06-04 — Public reporting states that an account named XCoderTools advertised XWorm V6.0 on HackForums, indicating acquisition of malware builds by downstream operators through a commercial channel. · ref
  • 2025-10-06 — BleepingComputer reported that XCoderTools offered access for a $500 lifetime subscription, reinforcing the malware-sales model. · ref
T1566 Phishing TA0001
  • 2025-10-06 — Public reporting on XWorm campaigns described phishing, malicious attachments, JavaScript stages, and .LNK-based delivery. This reflects downstream XWorm operator use rather than XCoder personally conducting phishing campaigns. · ref
T1059.001 PowerShell TA0002
  • 2025-10-02 — Trellix described an infection chain where a malicious JavaScript led to PowerShell execution to deploy XWorm V6.0. · ref
T1055 Process Injection TA0004 TA0005
  • 2025-10-02 — Vendor analysis of XWorm V6 discussed injected execution and in-memory module loading consistent with process-injection-style behavior. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • 2025-06-29 — Sandbox evidence showed persistence activity using scheduled tasks and copied payloads into user-writable paths during XWorm V6.0 execution. · ref
T1548.002 Bypass User Account Control TA0004 TA0005
  • 2025-11-10 — INFERENCE (confidence: medium): XCoderTools release messaging for XWorm V7.1 advertised 'Clean UAC Control' and later releases described enhanced UAC bypass capabilities, indicating deliberate support for UAC-related privilege control features. · ref
T1113 Screen Capture TA0009
  • 2025-10-08 — Public reporting on XWorm 6.x described plugin support for screen capture and remote surveillance functions. · ref
T1123 Audio Capture TA0009
  • 2025-11-28 — Public technical summaries of XWorm capabilities included microphone/audio capture functionality as part of the malware's plugin set. · ref
T1115 Clipboard Data TA0009
  • 2025-10-06 — BleepingComputer summarized public research showing clipboard theft/monitoring capability in newer XWorm variants. · ref
T1486 Data Encrypted for Impact TA0040
  • 2025-12-22 — INFERENCE (confidence: medium): XCoderTools marketing for XWorm V7.3 explicitly referenced a fixed and stabilized ransomware component, supporting inclusion of encryption-for-impact as an ecosystem capability. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-19T20:49:06+00:00

XCoder — alleged original developer / sales persona linked to XWorm

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Cybercrime / Malware development & distribution persona — Origin: Unknown

Author: iQBlack CTI Team


Executive Summary

XCoder is the handle publicly associated with the early development and sale of the XWorm remote access trojan and related criminal tooling. Public reporting from 2025 consistently describes XCoder as the original developer of XWorm, active through Telegram and underground sales channels before going inactive in the second half of 2024 after the release of XWorm V5.6.


By 2025, reporting described a fragmented post-abandonment environment in which cracked and trojanized XWorm builders circulated widely. A new seller and channel operator using the handle XCoderTools reintroduced XWorm V6.x and later V7.x, but security reporting remains cautious on whether this later brand is the same individual as the original XCoder, a close associate, or an opportunistic reseller capitalizing on XWorm’s brand equity.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — XCoder / XWorm Developer Persona

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — XCoder / XWorm Ecosystem


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-19T20:51:45+00:00

IOC Appendix — XCoder / XWorm Developer Persona

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-19T20:52:04+00:00

OSINT Library — XCoder


2025-10-02 — Trellix ARC — “XWorm V6: Exploring Pivotal Plugins”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/3
Address Verification SOCMINT
t.me/XCo******** Restricted Not integrated
t.me/+iT************** Restricted Not integrated
Address Verification SOCMINT
www.youtube.com/@Xc********* Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.