XWorm cracked-version phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A XWorm phishing distribution campaign is spreading cracked versions and lure-based infections at scale, with 18,459 infections across multiple countries. The operation matters because the malware ecosystem stayed active after XCoder abandoned the project, and new builds are being adopted by multiple threat actors. The campaign uses malicious JavaScript, PowerShell, .LNK, and .XLAM infection chains, and recent reporting adds XWorm 6.0 delivery that injects into RegSvcs.exe while hiding behind a decoy PDF.
Related Happenings
Webworm multi-country targeting campaign against government and enterprise victims
Campaign
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm multi-country targeting campaign against government and enterprise victims
CampaignAbout this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware Activity
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware ActivityAbout this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical Analysis
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical AnalysisAbout this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
GlassWorm OpenVSX sleeper extension campaign
Campaign
First: 28.04.2026 00:41
Last: 28.04.2026 00:41
Sources 1
About this happening:
The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
GlassWorm OpenVSX sleeper extension campaign
CampaignAbout this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical Analysis
First: 24.04.2026 14:48
Last: 24.04.2026 14:48
Sources 1
About this happening:
**MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical AnalysisAbout this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
Timeline
-
06.10.2025 14:42 3 articles · 7mo ago
XWorm cracked versions spread through phishing campaigns
Campaign Scope UpdateXWorm 6.0, 6.4, and 6.5 were being distributed through phishing campaigns after XCoder abandoned the project, with multiple threat actors adopting the variants and using malicious JavaScript, PowerShell, .LNK files, legitimate-looking .exe filenames, and shellcode embedded in Microsoft Excel (.XLAM) to deliver the malware. The campaign ecosystem also included more than 35 plugins for credential theft, remote desktop and shell access, file encryption/decryption, and DDoS, and one related lure campaign reached 18,459 infections across Russia, the United States, India, Ukraine, and Turkey.
Show sources
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
- XWorm 6.0 Returns with 35+ Plugins and Enhanced Data Theft Capabilities — thehackernews.com — 07.10.2025 13:36