Find notable cyber news and cases, enriched with sources, timelines, and signals.

XWorm cracked-version phishing campaign

Campaign
First reported
Last updated
Happening score
H score 41
2 unique sources, 2 articles

Summary

Hide ▲

A XWorm phishing distribution campaign is spreading cracked versions and lure-based infections at scale, with 18,459 infections across multiple countries. The operation matters because the malware ecosystem stayed active after XCoder abandoned the project, and new builds are being adopted by multiple threat actors. The campaign uses malicious JavaScript, PowerShell, .LNK, and .XLAM infection chains, and recent reporting adds XWorm 6.0 delivery that injects into RegSvcs.exe while hiding behind a decoy PDF.

Related Happenings

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

Malware Activity
H score41 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...

Webworm multi-country targeting campaign against government and enterprise victims

Campaign
H score38 First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...

Webworm EchoCreep and GraphWorm backdoor expansion

Malware Activity
H score28 First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...

Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis

Technical Analysis
H score19 First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...

Timeline

  1. 06.10.2025 14:42 3 articles · 9mo ago

    XWorm cracked versions spread through phishing campaigns

    Campaign Scope Update

    XWorm 6.0, 6.4, and 6.5 were being distributed through phishing campaigns after XCoder abandoned the project, with multiple threat actors adopting the variants and using malicious JavaScript, PowerShell, .LNK files, legitimate-looking .exe filenames, and shellcode embedded in Microsoft Excel (.XLAM) to deliver the malware. The campaign ecosystem also included more than 35 plugins for credential theft, remote desktop and shell access, file encryption/decryption, and DDoS, and one related lure campaign reached 18,459 infections across Russia, the United States, India, Ukraine, and Turkey.

    Show sources