Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

XWorm

20
Global rank
6 infographic chevron month
Month rank
20 infographic chevron week
Week rank
0
IOCs

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

RAT
Type
Ex-USSR
Origin
15 July, 2022
First seen
21 September, 2025
Last seen

How to analyze XWorm with ANY.RUN

RAT
Type
Ex-USSR
Origin
15 July, 2022
First seen
21 September, 2025
Last seen

IOCs

IP addresses
92.255.57.155
193.161.193.99
52.28.112.211
37.75.98.113
167.71.56.116
147.185.221.223
147.185.221.180
31.170.22.5
209.25.141.180
91.134.150.150
91.137.64.248
209.25.140.181
31.173.170.243
147.185.221.16
147.185.221.19
77.232.132.25
89.23.96.35
89.23.97.12
15.228.35.69
147.185.221.17
Hashes
a69841a608fc2a280d501c4e42ae6c6ce7a2cd5bd0db480dcce9df89a78f739e
89b201e36df550b503207a85041059f4037787f39eec5045fe8c579e42e82814
4584fbeede1219e5c5a366d02c35819f331cfadd404992f271183068de436d01
8fcec22a97275f5889d349dfa96295e0b95ab8597339ae6aa46d21a666ebcdb0
4a9f7a8a84f98529fffa36bdd88462fe3cea034756b70acfe00eef4b63a02e46
cf9d40d92369ca4b448b18bba07db8e682ab549c50e760e9ac9c9d9bbebde34c
f1cd899d09e247b9206f04e519e4fd5d3a4eb7e0a47f7577141b7bf71fdd4a60
88fb59ee7719acbddf10b81d0213189c1b832fdba113c7bf280b28711f4f77cf
dd879504a458784dc047f2e1058d2f8ebb08999ac92e8440b991cb8e75b775ff
eb5b70ed334037ecadca5f546bb7ce13c6eeee2426c8986e9f319c857a84fe65
a00753edf4bf7be84581e5af6479f3e9dcd6f9d7c81c2a5bfcdcc97a2be60316
14ae06ced2d080fcec3ca648454e7edb2d3cf8754e1d9a3c053850a1604aec09
2c706dae45983422d7100ab3ff57d9be3af2baf7de8bb9fcac1a5c48e79e7c94
d8589a65b5ac7a916e559d88baee20af9debdf69d211c7902d584d407c62a63c
e4fc1af0d1ec5dd25d64bb08c797291838b5e00652f9d5b72482d3f46ab38a06
bc9d7b80f3ab89cc348c4b05d4ac0023c3b5a7f1bee962ea47851ebd6ac9abe4
b15110ee246b3115d4600078e9b078d2163a9ee26ce3318e5fc22a41c7ec63ce
c7ce7b4759034bac5f89f206d0a08f3150cb4d6257f19b0ef02fc3c316d6507d
54f06b14d5408c4f5d6c7ce83d10d1b56ec5d6fe1e7d223e963fc0a3a3ddb5ca
e6378aaafecabcbe8e9440dec8e6f609d51f0929c4cee66ec41b1ea7f749cdb7
Domains
0.tcp.ngrok.io
serveo.net
0.tcp.eu.ngrok.io
2.tcp.eu.ngrok.io
2.tcp.ngrok.io
4.tcp.ngrok.io
4.tcp.eu.ngrok.io
0.tcp.in.ngrok.io
eu-central-7075.packetriot.net
0.tcp.ap.ngrok.io
6.tcp.ngrok.io
8.tcp.ngrok.io
pujakumari.duckdns.org
0.tcp.sa.ngrok.io
6.tcp.eu.ngrok.io
7.tcp.eu.ngrok.io
5.tcp.eu.ngrok.io
rick63.publicvm.com
jajaovh.duckdns.org
5.tcp.ngrok.io
URLs
https://pastebin.com/raw/S0j6LcjH
https://pastebin.com/raw/GUtADUQ5
https://pastebin.com/raw/nAXieb7q
https://pastebin.com/raw/2L3vs8UY
https://pastebin.com/raw/IP:PORT:KEY
https://pastebin.com/raw/iVUhhYa8
https://pastebin.com/raw/Q2AUANEc
https://pastebin.com/raw/yppjG8bz
https://pastebin.com/raw/H3wFXmEi:<123456789>
https://sharefile.haingoc8.repl.co/ip/Xwromv5.txt:hai1723
https://pastebin.com/raw/s2R3Fsug:ihateniggers201251
https://pastebin.com/raw/wrHXjRMP:<123456789>
https://pastebin.com/raw/yc8x5Fs9:<123456789>
https://pastebin.com/raw/wqxv4vFZ:<123456789>
https://pastebin.com/raw/BHD1iaZf:<123456789>
https://pastebin.com/raw/EPFL7SLU:<123456789>
https://pastebin.com/raw/7r9eEsq3:<123456789>
https://pastebin.com/raw/yEFBrPn5:<123456789>
https://pastebin.com/raw/zrABUf1x:<123456789>
https://pastebin.com/raw/yLqnBLCS:<123456789>
Last Seen at

Recent blog posts

post image
Efficient SOC: How to Detect and Solve Incide...
watchers 549
comments 0
post image
ANY.RUN &amp; Palo Alto Networks Cortex XSOAR...
watchers 645
comments 0
post image
Lazarus Group Attacks in 2025: Here's Everyth...
watchers 4025
comments 0

What is XWorm malware?

XWorm is a remote access trojan (RAT) that gives cybercriminals unauthorized access to a victim's computer. It is a modular malware, meaning that it can be customized to perform a variety of malicious tasks, such as stealing sensitive data and cryptocurrency, launching DDoS attacks, and deploying ransomware. It first came into the spotlight in July 2022 and is believed to have originated in the ex-USSR.

XWorm is sold as a malware-as-a-service (MaaS), which makes it extremely dangerous. It lowers the barrier to entry and opens hacking opportunities to more people. Since its first appearance in the global threat landscape in July 2022, XWorm has gone through several iterations. As of August 2023, the 4.2 version and the 5.0 version were the latest ones available for purchase.

Criminals use multi-stage attacks to deploy XWorm on victims’ computers. For example, an attack might start with a phishing email that contains a malicious Word document attachment. When the document is opened, it will load an .rtf file from an external link. This file will contain an Excel spreadsheet with macros that will execute a PowerShell script, which will then download XWorm onto the computer.

Technical details of the XWorm malicious software

XWorm is developed with the .NET Framework, which makes it a significant threat to Windows systems. The malware is also configurable, offering a wide range of tools for manipulating the infected machine.

Here are some of XWorm’s key capabilities:

  • Encrypted connection: XWorm is capable of maintaining a secure connection with its C&C server, even during poor network conditions.
  • Information gathering: The malware can collect a wide range of information from the infected computer, including credit card numbers, browsing history, bookmarks, downloads, as well as Firefox and Chromium passwords and cookies.
  • Account hijacking: XWorm can hack Discord, Telegram, and MetaMask accounts, as well as get hold of WiFi keys and product keys.
  • User activity tracking: The malware enables attackers to monitor the victim’s activities on their computer by logging their keystrokes, automatically saving webcam images, listening to their microphone, scanning their network connections, and viewing opened windows.
  • Clipboard access: XWorm can retrieve the information that has been copied to the clipboard and replace victims’ crypto wallet credentials with those of the attacker.
  • File management: It can gain control of a computer’s file system to transfer sensitive documents and content to its C2 or download additional malware and run it.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

In order to bypass User Account Control (UAC), XWorm attempts to get administrator permissions on the infected computer. This allows it to make changes to the system without requiring user consent. To ensure persistence, the malware adds itself to the list of programs that run automatically when the computer starts up by editing the registry.

It is also polymorphic, meaning that the malware’s code regularly transforms itself to throw detection software off course. Although XWorm has a built-in functionality to terminate its execution once it senses that it is launched in a virtualized environment, the ANY.RUN sandbox has no problem identifying the malware.

XWorm’s configuration

XWorm’s configuration

Execution process of XWorm

The malicious behavior of XWorm can be easily uncovered by uploading it to the ANY.RUN sandbox. Here is a sample of this malware on the platform.

Immediately upon execution, XWorm drops an executable file into the Startup directory (“C:\Users\admin/AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm.exe”) and into the Roaming directory (“C:\Users\admin/AppData\Roaming\XWorm.exe”).

XWorm’s process graph

XWorm’s process graph

For the latter directory, a persistent service is created using the Task Scheduler. Malware checks for an external IP, which we can bypass with ANY.RUN’s Residential Proxy feature. After this, XWorm starts sending beacons to the C&C server, waiting for commands to execute.

Read a detailed analysis of XWorm in our blog.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution methods of the XWorm malware

As with most malware families, email phishing campaigns serve as XWorm’s main gateway to victims’ computers. The attack begins with an email containing an attachment. By exploiting different social engineering techniques, threat actors can persuade a user to download the attached file and open it.

Analysts have observed several file formats used by attackers, including .rtf, .lnk, and .pdf. In most cases, the email attachment itself does not contain any macros and is used primarily to kick off a chain reaction that involves downloading several other files, executing PowerShell scripts, and finally delivering the payload.

Such attacks can be facilitated by specialized tools, such as Freeze[.]rs and SYK Crypter, which are equipped with advanced capabilities for circumventing defense systems to drop a variety of malware families including Remcos RAT, njRAT, and RedLine Stealer.

One of the most recent XWorm attacks targeted businesses in Germany. It involved sending a .docx document to victims with a name that suggested it contained hotel reservation information. Instead of using macros, the file exploited the Follina vulnerability (CVE-2022-30190) to run external malicious files and a PowerShell script, which eventually dropped XWorm.

Conclusion

XWorm retains considerable staying power due to the consistent updates and wide availability, making it a top concern for organizations around the world. To protect your system from this threat, you need to have a stricter approach towards handling any links or files arriving in your inbox from unknown senders.

Instead of downloading documents and opening URLs, you can first analyze them in the ANY.RUN sandbox to quickly understand whether the file is malicious or not. ANY.RUN also provides you with a detailed report about the malware, such as its IOCs and TTPs. This information can be used to protect your organization from future attacks.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Octo screenshot
Octo
octo coper
Octo malware, also known as ExobotCompact or Coper, is a sophisticated Android banking trojan that has evolved from earlier malware family Exobot. It poses a significant threat to financial institutions, mobile users, and enterprise networks.
Read More
Netwalker screenshot
Netwalker
netwalker ransomware
Netwalker is ransomware — it belongs to a malware family which encrypts files and demands users to pay a ransom to get their data back. Netwalker utilizes several sophisticated techniques, such as process hollowing and code obfuscation to target corporate victims.
Read More
Meduza Stealer screenshot
Meduza Stealer is an information-stealing malware primarily targeting Windows systems, designed to harvest sensitive data such as login credentials, browsing histories, cookies, cryptocurrency wallets, and password manager data. It has advanced anti-detection mechanisms, allowing it to evade many antivirus programs. The malware is distributed through various means, including phishing emails and malicious links. It’s marketed on underground forums and Telegram channels.
Read More
Raspberry Robin screenshot
Raspberry Robin
raspberryrobin
Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.
Read More
Balada Injector screenshot
Balada Injector is a long-running malware campaign that targets WordPress websites by exploiting vulnerabilities in plugins and themes. The attackers inject malicious code into compromised sites, leading to unauthorized redirects, data theft, and the creation of [backdoors](https://any.run/malware-trends/backdoor) for persistent access. The campaign operates in waves, with spikes in activity observed every few weeks, continually adapting to exploit newly discovered vulnerabilities.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More