CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

XWorm malware variants with ransomware module and over 35 plugins observed

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

New versions of the XWorm backdoor (6.0, 6.4, and 6.5) are being distributed in phishing campaigns. These variants, adopted by multiple threat actors, include a ransomware module and over 35 plugins for various malicious activities. The malware can steal data, take control of the host, and encrypt files. The original developer, XCoder, abandoned the project last year, leading to the proliferation of cracked versions. XWorm, first observed in 2022, is known for its modular architecture and extensive capabilities, including data theft, keylogging, DDoS attacks, and loading other malware. Recent campaigns have used various delivery methods, including JavaScript, PowerShell, and AI-themed lures. The ransomware module, Ransomware.dll, encrypts files in specific locations and provides ransom instructions. The malware has been observed in campaigns targeting users in Russia, the United States, India, Ukraine, and Turkey, with over 18,459 infections reported in one campaign.

Timeline

  1. 06.10.2025 14:42 1 articles · 15h ago

    XWorm malware resurfaces with ransomware module and over 35 plugins

    New versions of the XWorm backdoor (6.0, 6.4, and 6.5) have been identified, featuring a ransomware module and over 35 plugins. These variants are being distributed in phishing campaigns and have been adopted by multiple threat actors. The ransomware module, Ransomware.dll, encrypts files in specific locations and provides ransom instructions. The malware uses various delivery methods, including JavaScript, PowerShell, and AI-themed lures. Campaigns have targeted users in multiple countries, with over 18,459 infections reported in one campaign. The original developer, XCoder, abandoned the project last year, leading to the proliferation of cracked versions.

    Show sources

Information Snippets