XWorm v7.1 Emerges as a Rising Cyber Threat, Targeting Security Firm with Stealthy Multi-Stage Attack

CyberDefender 13 mins0

Cybercrime continues to evolve at an alarming pace. Threat actors are no longer relying on bulky, easily detectable malware. Instead, they are pursuing what many call the “perfect weapon”—malware that is lightweight, modular, stealthy, and extremely effective.

One malware family that perfectly represents this shift is XWorm.

Once considered just another commodity Remote Access Trojan (RAT), XWorm has rapidly grown into one of the most widely used tools in the cybercrime ecosystem. After the disruption caused by earlier versions such as XWorm v6.X, attackers have now moved to a more advanced release: XWorm v7.x.

In this blog, we explore a recent campaign that attempted to target a Taiwan-based network security company, analyze the XWorm v7.1 infection chain, and examine how this malware has become a dominant commodity in underground markets.

Source : Trelix

The Rise of XWorm in the Cybercrime Market

The underground malware market is highly competitive. New tools constantly appear, but only a few achieve long-term dominance.

For years, tools like AsyncRAT, QuasarRAT, Remcos, and AgentTesla were among the most widely used RATs. However, XWorm has recently overtaken many of these tools in popularity.

According to the ANY.RUN 2025 Annual Threat Report, XWorm detections increased by 174% in just one year. While older malware families dropped in popularity, XWorm climbed to #3 in the global threat ranking.

This rapid growth shows how quickly cybercriminals adopt tools that offer high functionality combined with low detection rates.

Winning the “RAT Race”

XWorm’s success is not just about affordability, although its lifetime license costs around $500 in underground forums.

Its dominance comes from something more important: effective simplicity.

Several factors contribute to its rapid adoption:

Massive growth in detections

XWorm detections in 2025 were 4.3 times higher than in 2024, showing a dramatic rise in global activity.

Large-scale infections

One builder campaign in 2025 alone was linked to more than 18,000 compromised devices, proving that low-cost malware can still cause enterprise-level damage.

Active underground distribution

Researchers have also identified Telegram channels actively distributing XWorm v7.x, making it easily accessible to both experienced attackers and beginners.

This combination of accessibility and capability has made XWorm one of the most widely used commodity malware families today.

A New Infection Strategy: XWorm v7.1 Kill Chain

During our investigation, we analyzed a new XWorm v7.1 infection chain that differs from older campaigns.

Instead of using traditional LNK files or executables, attackers relied on JavaScript droppers and “Living off the Land” techniques to evade detection.

The campaign also exploited CVE-2025-8088, a high-severity path traversal vulnerability in WinRAR versions 7.12 and earlier.

Attackers distributed weaponized archives through Discord, disguising them as legitimate game mods or community plugins.

By exploiting NTFS Alternate Data Streams (ADS), the malicious archive can write files to arbitrary system locations without requiring a complex downloader.

Because of its reliability, this vulnerability has quickly become popular among both financially motivated cybercriminals and state-sponsored actors.

Organizations are strongly advised to upgrade to WinRAR 7.13 or later to mitigate this attack vector.

Breaking Down the 7-Stage Attack Chain

The XWorm v7.1 campaign follows a structured multi-stage infection chain designed to avoid detection at every step.

1. Initial Access – Phishing Email

The attack begins with a phishing email containing a ZIP attachment with a convincing business-related name such as:

“MFEQuotation Work request for NCSOCSO.zip”

Inside the archive is a malicious JavaScript file designed to appear harmless.

2. JavaScript Dropper

When the victim opens the file, it executes through wscript.exe.

The script is heavily obfuscated and includes junk data to hide its purpose. Its primary role is to download a PowerShell script from a remote server:

hxxps://kolanga[.]cc/devils/ENCRYPTEDX.ps1

The script is then saved locally and executed with the following flags:

-nop -ep bypass

These parameters disable certain PowerShell restrictions, allowing the malicious script to run without interruption.

3. Encrypted PowerShell Staging

The downloaded PowerShell script acts as a secure container for the next stage of the attack.

It contains:

  • A large encrypted payload
  • A hardcoded AES decryption key
  • Instructions for executing the malware in memory

After decryption, the script prepares a malicious DLL payload.

4. Living-off-the-Land Execution

To avoid detection, the malware abuses a legitimate Windows utility:

Aspnet_compiler.exe

Located in:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\

Since this is a trusted Microsoft binary, most security tools allow it to run without suspicion.

The PowerShell script performs Reflective DLL Injection, inserting the XWorm payload directly into the memory of the running process.

5. In-Memory Payload Execution

The injected XWorm payload operates entirely in memory, leaving minimal traces on disk.

Before activating its functions, it performs environmental checks using WMI queries such as:

  • SELECT * FROM AntiVirusProduct
  • SELECT * FROM Win32_VideoController

These checks help the malware determine whether it is running in a sandbox or virtual machine.

Once active, the payload can perform multiple actions:

  • Keylogging
  • File downloads
  • DDoS attacks
  • System commands
  • Host file modification
  • Process control

However, in this campaign, the primary objective is keylogging.

6. Persistence Mechanism

To remain active after system reboots, the attackers create a persistence mechanism.

The legitimate Aspnet_compiler.exe file is copied to:

%AppData%\Roaming\

and renamed to:

XWormClient.exe

A registry entry is then added to the Windows Run key, ensuring the malware launches automatically when the system starts.

7. Data Exfiltration

The malware records every keystroke and saves it to a hidden log file inside the %TEMP% directory.

At regular intervals, the logs are encrypted and sent to the attacker’s Command and Control (C2) server:

204.10.160.190
TCP Port: 7003

Encryption ensures that network monitoring tools cannot easily see the stolen data.

Investigating the Malware Infrastructure

Further analysis of the C2 IP address revealed that it has been linked to multiple malware campaigns and different malware families.

This suggests the infrastructure may be part of a larger cybercrime ecosystem used by several threat groups.

XWorm v7.1 Capabilities

Beyond keylogging, XWorm includes a wide range of post-exploitation plugins, allowing attackers to perform extensive surveillance and control.

Some of these capabilities include:

  • Monitoring files, registry activity, and running processes
  • Webcam and microphone access
  • Password theft
  • Clipboard manipulation
  • Remote command execution
  • Program installation
  • UAC bypass
  • Anti-analysis protection against tools like dnSpy and .NET Reflector

These features transform XWorm into a complete remote surveillance and control platform.

Why XWorm Is Becoming a Major Global Threat

XWorm’s rapid rise highlights a major shift in the cybercrime ecosystem.

Commodity malware is no longer simple or unsophisticated. Instead, it now integrates techniques commonly associated with Advanced Persistent Threats (APTs).

XWorm v7.1 demonstrates this clearly by combining:

  • Living-off-the-Land execution
  • Memory-resident payloads
  • Reflective DLL injection
  • Exploitation of real software vulnerabilities
  • Encrypted command-and-control communication

By abusing trusted tools and hiding inside legitimate processes, the malware can bypass many traditional signature-based security solutions.

How Organizations Can Defend Against XWorm

Defending against modern threats like XWorm requires a multi-layered security approach.

Strengthen the human layer

Phishing remains the most common entry point. Employees should be trained to treat unexpected ZIP or RAR attachments with caution, even if they appear to come from trusted senders.

Patch vulnerable software

Organizations must update WinRAR to version 7.13 or later to prevent exploitation of CVE-2025-8088.

Deploy behavior-based detection

Security tools should monitor suspicious behavior such as:

  • PowerShell execution with bypass flags
  • DLL injection
  • Unusual activity from trusted system binaries

Monitor outbound traffic

Continuous network monitoring can help detect encrypted communication to suspicious C2 servers, particularly unusual traffic on ports such as 7003.

Final Thoughts

XWorm’s rapid growth reflects a broader trend in the cybercrime landscape: commodity malware is becoming increasingly advanced.

What was once a tool used by inexperienced attackers has evolved into a sophisticated platform capable of executing stealthy and large-scale operations.

With the release of XWorm v7.1, attackers now have access to malware that combines low cost, high functionality, and strong evasion capabilities.

For defenders, this means that relying solely on traditional security methods is no longer enough. Organizations must adopt behavior-based detection, proactive threat hunting, and rapid patch management to stay ahead of evolving threats.

The era of “simple commodity malware” is coming to an end — and XWorm is leading that transformation.

CyberDefender