XWorm v31 uses SMB to spread. Ensure that workstations cannot communicate via SMB to servers or critical infrastructure. Use a Zero Trust model.
: Includes the ability to shutdown, restart, or log off the victim.
XWorm v3.1 is a recent update to a high-risk Remote Access Trojan (RAT) currently being tracked by cybersecurity researchers for its advanced evasion techniques and expanded command capabilities. Direct Overview
– A victim receives a phishing email containing a malicious attachment or link. Common lures include disguised invoices, banking documents, payment confirmations, and shipping notifications. Threat actors have also leveraged fake travel websites masquerading as Booking.com to distribute XWorm. Attackers frequently deploy XWorm alongside other malware such as AsyncRAT to establish initial footholds before delivering ransomware payloads crafted from leaked LockBit Black builders. xworm v31 updated
rule XWorm_v31_Mutex strings: $mutex = "XWorm_31_Global_Mutex" wide ascii $api = "EnumWindows" wide ascii $net = "SendKeys" wide ascii condition: $mutex and $api and $net
The initial dropper decrypts the main XWorm payload directly into memory to evade disk-based antivirus scans.
The malware can read and modify the victim’s Hosts file, redirecting web traffic to attacker-controlled servers. This capability enables sophisticated phishing attacks where legitimate banking or corporate websites are replaced with malicious clones. XWorm v31 uses SMB to spread
Given the "Updated" nature of this threat, layered defense is non-negotiable.
Use a reputable endpoint detection and response (EDR) solution or next-generation antivirus product to scan and remove the threat. Many modern security tools have specific detection signatures for XWorm components.
– The infection chain typically begins with a Windows Script File (WSF), VBScript, or PowerShell script that initiates the payload retrieval process. The Netskope Threat Labs uncovered that the initial WSF file is often delivered through phishing emails and contains hex-encoded commands to avoid static detection. : Includes the ability to shutdown, restart, or
As a modular RAT, XWorm provides attackers with comprehensive control over infected systems:
With the release of , the threat landscape has shifted once again. This isn't just a minor patch; the v3.1 update introduces advanced obfuscation techniques, expanded Distributed Denial of Service (DDoS) capabilities, and specific modules targeting cryptocurrency wallets and cloud credential harvesters.
First identified in 2022, the remote access trojan (RAT) has, through continuous updates and a modular design, become a cornerstone of the modern cybercriminal toolkit. Sold as a Malware-as-a-Service (MaaS) and with cracked versions circulating for free, its accessibility has made it a common weapon for attackers of all skill levels, from opportunistic cybercriminals to state-aligned advanced persistent threat (APT) groups. The malware's persistent evolution is evident in the numerous campaigns and variants observed from 2025 into 2026, representing a significant and ongoing global threat.
The digital underground never sleeps, and neither do its most popular tools. For the past two years, has solidified its reputation as a "malware-as-a-service" (MaaS) powerhouse—a remote access trojan (RAT) so versatile that it has become a staple for script kiddies, hacktivists, and sophisticated cybercriminals alike.
Allows the attacker to open a completely hidden secondary desktop session on the victim's machine. The user remains oblivious while the attacker navigates banking portals or corporate networks in real-time.