CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

XWorm malware variants with ransomware module and over 35 plugins observed

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

XWorm malware, first observed in 2022, has resurfaced with enhanced capabilities. New versions (6.0, 6.4, and 6.5) include a ransomware module and over 35 plugins, enabling data theft, keylogging, DDoS attacks, and more. The malware is being distributed in phishing campaigns and has been adopted by multiple threat actors. The original developer, XCoder, abandoned the project last year, leading to the proliferation of cracked versions. XWorm's modular architecture allows it to steal data, take control of the host, and encrypt files. Recent campaigns have used various delivery methods, including JavaScript, PowerShell, and AI-themed lures. The ransomware module, Ransomware.dll, encrypts files in specific locations and provides ransom instructions. The malware has been observed in campaigns targeting users in multiple countries, with over 18,459 infections reported in one campaign. XWorm 6.0 is being sold on cybercrime forums for $500 for lifetime access and connects to its C2 server at 94.159.113[.]64 on port 4411. The malware's plugins include modules for remote desktop access, data theft, file management, and system command execution.

Timeline

  1. 06.10.2025 14:42 2 articles · 7d ago

    XWorm malware resurfaces with ransomware module and over 35 plugins

    XWorm 6.0 is being sold on cybercrime forums for $500 for lifetime access. The malware connects to its C2 server at 94.159.113[.]64 on port 4411 and supports a command called 'plugin' to run over 35 DLL payloads. XWorm 6.0 infections have served as a conduit for other malware families, including DarkCloud Stealer, Hworm, Snake KeyLogger, Coin Miner, Pure Malware, ShadowSniff Stealer, Phantom Stealer, Phemedrone Stealer, and Remcos RAT.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Stealit Malware Campaign Abuses Node.js SEA Feature

A malware campaign named Stealit is actively distributing Node.js-based payloads via the Single Executable Application (SEA) feature. The malware is propagated through fake installers for games and VPN applications on file-sharing sites. The campaign offers a remote access trojan (RAT) with various capabilities, including file extraction, webcam control, and ransomware deployment. The malware performs anti-analysis checks, writes an authentication key to a temporary file, and configures Microsoft Defender exclusions to avoid detection. It targets Chromium-based browsers, messengers, cryptocurrency wallets, and game-related apps. The campaign is monetized through subscription plans for the malware's services. The threat actor has also relocated the command-and-control (C2) panel to new domains and reverted to using the Electron framework with encrypted scripts.

Open in new tab

Oyster Malware Distributed via Fake Microsoft Teams Installers

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida.

Open in new tab

APT28 deploys NotDoor backdoor via Microsoft Outlook

APT28, a Russian state-sponsored threat group, has been identified deploying a new backdoor malware named NotDoor through Microsoft Outlook. This malware exploits Outlook to facilitate covert communication, data exfiltration, and malware delivery. The backdoor is triggered by specific words in incoming emails, allowing attackers to execute commands on the victim's computer. NotDoor is distributed via a legitimate signed binary, Microsoft's OneDrive.exe, which is vulnerable to DLL sideloading. The malware uses PowerShell commands encoded in Base64 to perform various functions, including disabling macro security defenses and enabling macro execution. The backdoor maintains persistent access to the targeted system and can initiate data exfiltration through email attachments or upload malicious files. The malware has been used to target multiple companies from different sectors in NATO member countries. It creates a staging folder at %TEMP%\Temp to store and exfiltrate files, and supports commands for executing commands, exfiltrating files, and uploading files to the victim's computer.

Open in new tab

Supply Chain Attack Targets npm Packages with Over 2.6 Billion Weekly Downloads

A supply chain attack involving multiple npm packages with over 2.6 billion weekly downloads has been discovered. The attack, which began in April 2025, involved the injection of malicious code into npm packages after compromising a maintainer's account via a phishing attack. The malicious code targets cryptocurrency wallets, including Atomic and Exodus, and redirects transactions to addresses controlled by threat actors. The attack has now expanded to include additional maintainers and packages, further broadening its impact. The malicious packages were removed within two hours of the attack, and the injected code targeted browser environments, hooking Ethereum and Solana signing requests. The attack was discovered and mitigated quickly, preventing more severe security incidents. The attack follows a series of similar incidents targeting JavaScript libraries, emphasizing the ongoing threat to the npm ecosystem and the broader supply chain. The compromised packages include popular ones such as ansi-regex, ansi-styles, chalk, debug, and others, collectively attracting over 2 billion weekly downloads. The malicious code operates by intercepting network traffic and application APIs, targeting various cryptocurrencies including Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash. At least 18 popular JavaScript code packages were compromised, collectively downloaded more than two billion times each week. The attack was narrowly focused on stealing cryptocurrency but highlights the potential for more disruptive malware outbreaks. The incident underscores the vulnerability of widely-used code maintained by a small number of developers and the need for stronger authentication measures.

Open in new tab

Transparent Tribe Targets Indian Government with Dual-Platform Malware Campaign

APT36, also known as Transparent Tribe, is targeting both Windows and BOSS Linux systems in ongoing attacks against Indian government and defense entities. The campaign, active since August 1, 2025, involves phishing emails delivering malicious .desktop files disguised as PDFs. The malware facilitates data exfiltration, persistent espionage access, and includes anti-debugging and anti-sandbox checks. The malware also targets the Kavach 2FA solution used by Indian government agencies. The attack leverages the .desktop file's 'Exec=' field to execute a sequence of shell commands that download and run a Go-based ELF payload. The payload establishes persistence through cron jobs and systemd services, and communicates with a C2 server via a WebSocket channel. The technique allows APT36 to evade detection by abusing a legitimate Linux feature that is not typically monitored for threats. The campaign demonstrates APT36's evolving tactics, becoming more evasive and sophisticated.

Open in new tab