On June 4, 2025, cybersecurity researchers detected the first active deployments of XWorm V6.0, marking the unexpected resurgence of the notorious modular RAT family.
The newly surfaced variant retains the core client architecture of its predecessor but adds refinements intended to bypass antivirus detection and strengthen persistence.
Attackers are distributing XWorm V6 via phishing campaigns, deploying malicious JavaScript droppers that silently chain into PowerShell scripts before delivering an injector DLL.
Researchers observed significant upticks in VirusTotal submissions, confirming threat actors worldwide have rapidly adopted the refreshed toolkit.
Stealthy Process Injection via Trusted Executables
The centerpiece of XWorm’s stealth lies in its injector component, which hijacks legitimate Windows executables such as RegSvcs.exe.
Upon executing the initial PowerShell loader, the injector uses native Windows API calls to allocate memory in the target process and write the encrypted XWorm client payload in situ.
After decrypting the payload using a dynamically generated AES key, the injector triggers a remote thread in RegSvcs.exe, effectively running XWorm’s code under the guise of a trusted system binary.
Analysts confirmed this technique successfully evades AMSI hooks and common heuristic scanners, significantly reducing detection rates in standard security suites.
Modular Plugin Framework for Versatile Exploitation
Once the client is active, it performs C2 communication over TCP to 94.159.113.64:4411 using a default encryption key (“<666666>” in V6 compared with “<123456789>” in V5.6).
The client constructs a unique machine identifier by hashing together processor count, username, machine name, OS version, and system directory size, registering this ID under HKCU\SOFTWARE<ClientID> for plugin storage and configuration.
XWorm’s plugin framework remains its most potent feature. When the operator issues the “plugin” command, the client verifies plugin integrity using SHA-256 hashes and retrieves any missing modules from the C2.
All plugins are compressed with gzip and stored in the registry, decrypted, and invoked in memory to avoid touching disk.
Among the more than 35 available payloads, Shell.dll provides remote command execution via hidden cmd.exe processes, while FileManager.dll grants complete filesystem control—including AES-CBC file encryption and decryption.
The RemoteDesktop.dll plugin spawns a credential-encrypted RDP stream, enabling live screen sharing and input simulation.
Stealer modules target browsers, FTP clients, and messaging apps for credential harvesting. The Ransomware.dll plugin empowers operators to launch targeted encryption campaigns, complete with a custom wallpaper dropper, ransom note generation, and BTC address embedding.
Layered Persistence Ensuring Long-Term Access
Persistence techniques in XWorm V6 range from simple to advanced. A bespoke EXE drops a WSF script that, depending on the operator’s choice, can install a logon script, a Run key, or an InstallUtil-based loop.
The logon-script method uses a batch file located under % APPDATA%\Microsoft\CLR. The Run-key method employs HKCU\Software\Microsoft\Windows\CurrentVersion\Run entries. The InstallUtil loop continuously checks for and invokes the payload if it is missing.
The most sophisticated option leverages Windows’ push-button reset by writing ResetConfig.xml and install.cmd to C:\Recovery\OEM ensuring XWorm reinstalls itself after a factory reset.
This technique, borrowed from Pulsar RAT and WEEVILPROXY, highlights XWorm V6’s emphasis on resilience.
XWorm V6’s combination of refined injection, robust plugin delivery, and layered persistence mechanisms underscores the evolving sophistication of RAT campaigns.
Security teams must deploy endpoint detection and response tools tuned to monitor in-memory injection, suspicious registry writes, and anomalous child processes.
Proactive email and web defenses should filter out the initial droppers, while continuous network monitoring can detect C2 beacons and plugin fetch requests before a full compromise occurs. Only a coordinated, multi-layered defense strategy can mitigate the versatile threat posed by XWorm V6.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
