New versions of the XWorm backdoor are being distributed in phishing campaigns after the original developer, XCoder, abandoned the project last year.
The latest variants, XWorm 6.0, 6.4, and 6.5, appear to be adopted by multiple threat actors and have support for plugins that allow a wide range of malicious activities.
Malware operators can use the modules to steal data from browsers and applications, take control of the host through remote desktop and shell access, and encrypt or decrypt files.
The last known version of the malware developed by XCoder is 5.6, which was vulnerable to a remote code execution flaw, addressed in the recent variants.
Versatile and popular
XWorm is a remote access trojan first observed in 2022. It gained a reputation as a highly effective malware due to its modular architecture and extensive capabilities.
It is typically used to collect sensitive data (passwords, crypto wallets, financial info), track keystrokes, steal information in the clipboard,
However, it can also be used to launch distributed denial-of-service (DDoS) attacks and load other malware.
After XCoder deleted their Telegram accounts, where they shared regular updates, multiple threat actors started to spread cracked versions of the malware.
XWorm was so popular that a threat actor used it as a lure to target less-skilled cybercriminals with a backdoor that stole data.
... continue reading