XWorm cracked-version phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A XWorm phishing distribution campaign is spreading cracked versions and lure-based infections at scale, with 18,459 infections across multiple countries. The operation matters because the malware ecosystem stayed active after XCoder abandoned the project, and new builds are being adopted by multiple threat actors. The campaign uses malicious JavaScript, PowerShell, .LNK, and .XLAM infection chains, and recent reporting adds XWorm 6.0 delivery that injects into RegSvcs.exe while hiding behind a decoy PDF.
Related Happenings
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
H score49
First: 02.06.2026 21:21
Last: 02.06.2026 21:21
Sources 1
About this happening:
**Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware ActivityAbout this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Latest development: 09.06.2026 15:26
Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
Webworm multi-country targeting campaign against government and enterprise victims
Campaign
H score38
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm multi-country targeting campaign against government and enterprise victims
CampaignAbout this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware Activity
H score28
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware ActivityAbout this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical Analysis
H score19
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical AnalysisAbout this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
Timeline
-
06.10.2025 14:42 3 articles · 9mo ago
XWorm cracked versions spread through phishing campaigns
Campaign Scope UpdateXWorm 6.0, 6.4, and 6.5 were being distributed through phishing campaigns after XCoder abandoned the project, with multiple threat actors adopting the variants and using malicious JavaScript, PowerShell, .LNK files, legitimate-looking .exe filenames, and shellcode embedded in Microsoft Excel (.XLAM) to deliver the malware. The campaign ecosystem also included more than 35 plugins for credential theft, remote desktop and shell access, file encryption/decryption, and DDoS, and one related lure campaign reached 18,459 infections across Russia, the United States, India, Ukraine, and Turkey.
Show sources
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
- XWorm 6.0 Returns with 35+ Plugins and Enhanced Data Theft Capabilities — thehackernews.com — 07.10.2025 13:36