XWorm backdoor with expanded ransomware plugins
Malware Activity
Summary
Hide ▲
Show ▼
The XWorm Windows backdoor is being redistributed in phishing campaigns, and newer builds 6.0, 6.4, and 6.5 expand its reach from theft to remote control, file encryption, and other post-compromise actions. Trellix said the malware now supports 35+ plugins for stealing browser and application data, opening remote desktop and shell sessions, and managing infected hosts through a modular C2 workflow. Delivery has used malicious JavaScript, PowerShell, .LNK files, and .XLAM payloads, with some lures posing as legitimate-looking .exe files such as Discord. The added ransomware module makes XWorm a more flexible and dangerous threat once an endpoint is compromised.
Related Happenings
Webworm EchoCreep and GraphWorm backdoor expansion
Malware Activity
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware ActivityAbout this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
ABCDoor backdoor activity in Silver Fox attacks
Malware Activity
First: 04.05.2026 14:35
Last: 04.05.2026 14:35
Sources 1
About this happening:
The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
ABCDoor backdoor activity in Silver Fox attacks
Malware ActivityAbout this happening: The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
GopherWhisper Go-based malware toolkit with Slack, Discord, and Outlook C2
Malware Activity
First: 23.04.2026 15:06
Last: 23.04.2026 15:06
Sources 1
About this happening:
The **GopherWhisper** malware set now combines **Go-based backdoors** and **exfiltration tools** that abuse **Slack**, **Discord**, **Microsoft 365 Outlook**, and **Microsoft Grap...
GopherWhisper Go-based malware toolkit with Slack, Discord, and Outlook C2
Malware ActivityAbout this happening: The **GopherWhisper** malware set now combines **Go-based backdoors** and **exfiltration tools** that abuse **Slack**, **Discord**, **Microsoft 365 Outlook**, and **Microsoft Grap...
Medusa ransomware post-compromise deployment
Malware Activity
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Medusa ransomware post-compromise deployment
Malware ActivityAbout this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Timeline
-
06.10.2025 14:42 3 articles · 7mo ago
Trellix discloses renewed XWorm phishing distribution
Initial DisclosureTrellix said the XWorm backdoor is being redistributed in phishing campaigns after XCoder abandoned the project, with versions 6.0, 6.4, and 6.5 adopted by multiple threat actors. The newer builds support 35+ plugins for stealing browser and application data, remote desktop and shell access, file encryption and decryption, and DDoS, and related delivery chains used malicious JavaScript, PowerShell, .LNK files, legitimate-looking .exe filenames such as Discord, and .XLAM payloads. A related lure campaign counted 18,459 infections, mostly in Russia, the United States, India, Ukraine, and Turkey.
Show sources
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
- XWorm 6.0 Returns with 35+ Plugins and Enhanced Data Theft Capabilities — thehackernews.com — 07.10.2025 13:36