Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

XWorm RAT phishing-delivered persistence and exfiltration chain

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The XWorm RAT infection chain used phishing emails and .XLAM attachments to run shellcode, inject code, and exfiltrate data to command-and-control servers. The activity matters because the payload combined reflective DLL injection and process injection to survive on infected systems and hide its execution. The malware traffic was tied to the XWorm family, indicating an active delivery path for a known remote-access threat.

Related Happenings

Webworm EchoCreep and GraphWorm backdoor expansion

Malware Activity
First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...

Open Happening

Formbook phishing campaign using DLL sideloading and obfuscated JavaScript

Campaign
First: 20.04.2026 18:01 Last: 20.04.2026 18:01 Sources 1

About this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...

Open Happening

Havoc Demon payload deployment and persistence operation

Malware Activity
First: 03.03.2026 19:15 Last: 03.03.2026 19:15 Sources 1

About this happening: A **fake IT support** operation is deploying **Havoc Demon** payloads to preserve access across compromised endpoints and support likely **data exfiltration** or **ransomware** fo...

Open Happening

ClickFix nslookup-delivered ModeloRAT activity

Malware Activity
First: 17.02.2026 19:03 Last: 17.02.2026 19:03 Sources 1

About this happening: The **ClickFix** infection chain now uses **nslookup** to deliver **ModeloRAT**, increasing the chance that **Windows** users will self-infect and hand attackers remote control. T...

Open Happening

LummaStealer infection surge via CastleLoader

Malware Activity
First: 11.02.2026 19:02 Last: 11.02.2026 19:02 Sources 1

About this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...

Latest development: 06.03.2026 08:44

Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

Open Happening

Timeline

  1. 29.09.2025 11:52 2 articles · 8mo ago

    XWorm RAT phishing delivery and persistence chain

    Technical Analysis Update

    Forcepoint described a multi-stage phishing chain on affected Windows hosts in which emails with .XLAM attachments execute shellcode, a secondary payload loads a .DLL file in memory, the second-stage DLL uses heavily obfuscated packing and encryption, reflective DLL injection loads another DLL, and the final malware performs process injection to maintain persistence and exfiltrate data to XWorm family command-and-control servers while a blank or corrupted Office file is used as a ruse.

    Show sources
    Open in new tab