XWorm malware variants with ransomware module and over 35 plugins observed
Summary
Hide ▲
Show ▼
New versions of the XWorm backdoor (6.0, 6.4, and 6.5) are being distributed in phishing campaigns. These variants, adopted by multiple threat actors, include a ransomware module and over 35 plugins for various malicious activities. The malware can steal data, take control of the host, and encrypt files. The original developer, XCoder, abandoned the project last year, leading to the proliferation of cracked versions. XWorm, first observed in 2022, is known for its modular architecture and extensive capabilities, including data theft, keylogging, DDoS attacks, and loading other malware. Recent campaigns have used various delivery methods, including JavaScript, PowerShell, and AI-themed lures. The ransomware module, Ransomware.dll, encrypts files in specific locations and provides ransom instructions. The malware has been observed in campaigns targeting users in Russia, the United States, India, Ukraine, and Turkey, with over 18,459 infections reported in one campaign.
Timeline
-
06.10.2025 14:42 1 articles · 15h ago
XWorm malware resurfaces with ransomware module and over 35 plugins
New versions of the XWorm backdoor (6.0, 6.4, and 6.5) have been identified, featuring a ransomware module and over 35 plugins. These variants are being distributed in phishing campaigns and have been adopted by multiple threat actors. The ransomware module, Ransomware.dll, encrypts files in specific locations and provides ransom instructions. The malware uses various delivery methods, including JavaScript, PowerShell, and AI-themed lures. Campaigns have targeted users in multiple countries, with over 18,459 infections reported in one campaign. The original developer, XCoder, abandoned the project last year, leading to the proliferation of cracked versions.
Show sources
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
Information Snippets
-
XWorm versions 6.0, 6.4, and 6.5 include a ransomware module and over 35 plugins.
First reported: 06.10.2025 14:421 source, 1 articleShow sources
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
-
The ransomware module, Ransomware.dll, encrypts files in %USERPROFILE% and Documents, avoiding system files.
First reported: 06.10.2025 14:421 source, 1 articleShow sources
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
-
XWorm can steal data from browsers, applications, and crypto wallets, and execute system commands.
First reported: 06.10.2025 14:421 source, 1 articleShow sources
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
-
The malware uses various delivery methods, including JavaScript, PowerShell, and AI-themed lures.
First reported: 06.10.2025 14:421 source, 1 articleShow sources
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
-
XWorm has been observed in campaigns targeting users in multiple countries, with over 18,459 infections reported.
First reported: 06.10.2025 14:421 source, 1 articleShow sources
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
-
The original developer, XCoder, abandoned the project last year, leading to the proliferation of cracked versions.
First reported: 06.10.2025 14:421 source, 1 articleShow sources
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
-
XWorm's ransomware module shares code overlaps with the NoCry ransomware, using the same encryption algorithm and key generation process.
First reported: 06.10.2025 14:421 source, 1 articleShow sources
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42
-
The malware's plugins include modules for remote desktop access, data theft, file management, and system command execution.
First reported: 06.10.2025 14:421 source, 1 articleShow sources
- XWorm malware resurfaces with ransomware module, over 35 plugins — www.bleepingcomputer.com — 06.10.2025 14:42