Xworm V31 Updated __full__

Enable Antimalware Scan Interface (AMSI) logging to detect obfuscated script executions in PowerShell and VBScript.

The author and publisher of this article assume no liability for any use or misuse of this information. This content is provided for educational and defensive security purposes only. Malware analysis and threat intelligence should only be conducted in controlled, isolated environments by qualified security professionals.

XWorm is a fully-featured remote access Trojan (RAT) first identified in 2022 that has rapidly evolved into one of the most formidable commodity malware threats in the current cyber threat landscape. Unlike traditional RATs that offer limited functionality, XWorm provides attackers with an extensive suite of capabilities including keylogging, remote desktop access, command execution, and data exfiltration, effectively granting full control over compromised systems. The malware operates as a modular RAT with MaaS (Malware-as-a-Service) characteristics, sold and shared within the cybercrime ecosystem. xworm v31 updated

A specific YARA rule for XWorm v31 looks for the base64 encoded mutex:

XWorm does not discriminate in its targeting. It has been observed in campaigns affecting healthcare, finance, manufacturing, government, education, and the hospitality sector across multiple countries.The malware has been used to target Ukrainian organizations, industry sectors in the United Kingdom, and has been deployed in ransomware attacks involving LockBit Black builders. Enable Antimalware Scan Interface (AMSI) logging to detect

Since the 3.1 update, XWorm has undergone several major iterations, with the most recent versions reaching by February 2026.

This version is primarily distributed via phishing campaigns and "malvertisement" links (e.g., fake download sites for CrackLink, MediaFire, or gaming cheats). Malware analysis and threat intelligence should only be

The malware uses reflective DLL loading to avoid writing files to disk. Once loaded, it injects its payload into legitimate Windows processes such as explorer.exe, svchost.exe, taskmgr.exe, and msbuild.exe, blending malicious activity into normal system operations. This technique makes detection by traditional process monitoring tools substantially more difficult.