XWorm backdoor with expanded ransomware plugins
Malware Activity
Summary
Hide ▲
Show ▼
The XWorm Windows backdoor is being redistributed in phishing campaigns, and newer builds 6.0, 6.4, and 6.5 expand its reach from theft to remote control, file encryption, and other post-compromise actions. Trellix said the malware now supports 35+ plugins for stealing browser and application data, opening remote desktop and shell sessions, and managing infected hosts through a modular C2 workflow. Delivery has used malicious JavaScript, PowerShell, .LNK files, and .XLAM payloads, with some lures posing as legitimate-looking .exe files such as Discord. The added ransomware module makes XWorm a more flexible and dangerous threat once an endpoint is compromised.
Related Happenings
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware Activity
H score36
First: 02.06.2026 23:01
Last: 02.06.2026 23:01
Sources 1
About this happening:
A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware ActivityAbout this happening: A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware Activity
H score28
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware ActivityAbout this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
ABCDoor backdoor activity in Silver Fox attacks
Malware Activity
H score23
First: 04.05.2026 14:35
Last: 04.05.2026 14:35
Sources 1
About this happening:
The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
ABCDoor backdoor activity in Silver Fox attacks
Malware ActivityAbout this happening: The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
Vidar infostealer market rise and distribution expansion
Malware Activity
H score30
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Timeline
-
06.10.2025 14:42 3 articles · 9mo ago
Trellix discloses renewed XWorm phishing distribution
Initial DisclosureTrellix said the XWorm backdoor is being redistributed in phishing campaigns after XCoder abandoned the project, with versions 6.0, 6.4, and 6.5 adopted by multiple threat actors. The newer builds support 35+ plugins for stealing browser and application data, remote desktop and shell access, file encryption and decryption, and DDoS, and related delivery chains used malicious JavaScript, PowerShell, .LNK files, legitimate-looking .exe filenames such as Discord, and .XLAM payloads. A related lure campaign counted 18,459 infections, mostly in Russia, the United States, India, Ukraine, and Turkey.
Show sources
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
- XWorm 6.0 Returns with 35+ Plugins and Enhanced Data Theft Capabilities — thehackernews.com — 07.10.2025 13:36