Find notable cyber news and cases, enriched with sources, timelines, and signals.

XWorm backdoor with expanded ransomware plugins

Malware Activity
First reported
Last updated
Happening score
H score 28
2 unique sources, 2 articles

Summary

Hide ▲

The XWorm Windows backdoor is being redistributed in phishing campaigns, and newer builds 6.0, 6.4, and 6.5 expand its reach from theft to remote control, file encryption, and other post-compromise actions. Trellix said the malware now supports 35+ plugins for stealing browser and application data, opening remote desktop and shell sessions, and managing infected hosts through a modular C2 workflow. Delivery has used malicious JavaScript, PowerShell, .LNK files, and .XLAM payloads, with some lures posing as legitimate-looking .exe files such as Discord. The added ransomware module makes XWorm a more flexible and dangerous threat once an endpoint is compromised.

Related Happenings

AI-built ransomware toolkit with AD discovery and EDR evasion

Malware Activity
H score36 First: 02.06.2026 23:01 Last: 02.06.2026 23:01 Sources 1

About this happening: A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...

GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

Malware Activity
H score41 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...

Webworm EchoCreep and GraphWorm backdoor expansion

Malware Activity
H score28 First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...

ABCDoor backdoor activity in Silver Fox attacks

Malware Activity
H score23 First: 04.05.2026 14:35 Last: 04.05.2026 14:35 Sources 1

About this happening: The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...

Vidar infostealer market rise and distribution expansion

Malware Activity
H score30 First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Timeline

  1. 06.10.2025 14:42 3 articles · 9mo ago

    Trellix discloses renewed XWorm phishing distribution

    Initial Disclosure

    Trellix said the XWorm backdoor is being redistributed in phishing campaigns after XCoder abandoned the project, with versions 6.0, 6.4, and 6.5 adopted by multiple threat actors. The newer builds support 35+ plugins for stealing browser and application data, remote desktop and shell access, file encryption and decryption, and DDoS, and related delivery chains used malicious JavaScript, PowerShell, .LNK files, legitimate-looking .exe filenames such as Discord, and .XLAM payloads. A related lure campaign counted 18,459 infections, mostly in Russia, the United States, India, Ukraine, and Turkey.

    Show sources