XWorm is Outpacing Every Other RAT in the Underground Malware Market
Summary:
XWorm has emerged as the dominant commodity remote access trojan (RAT) in the underground malware market, with version 7.1 representing a significant escalation in capability and sophistication. Trellix researchers analyzed an active XWorm v7.1 campaign targeting a Taiwan-based network security company, delivered via a phishing email containing a malicious ZIP archive with a JavaScript dropper. Upon execution, the JS file contacts a remote server to download an encrypted PowerShell script, which then performs reflective DLL injection into the legitimate Microsoft binary Aspnet_compiler[.]exe, a classic Living off the Land (LOTL) technique designed to evade signature-based defenses.
The injected XWormClient payload operates entirely in memory, conducting anti-virus and anti-VM checks via WMI queries before establishing keylogging activity, writing captured keystrokes to a hidden file in the %TEMP% directory, and exfiltrating encrypted logs to a C2 server at 204[.]10[.]160[.]190 over TCP port 7003.
Persistence is achieved by copying Aspnet_compiler[.]exe to %AppData%\Roaming\XWormClient[.]exe and registering it under the Windows Run registry key.
The malware's post-exploitation plugin suite extends to screen, webcam, and microphone monitoring, password theft, DDoS capability, UAC bypass, and process and service manipulation.
Security Officer Comments:
According to the ANY.RUN 2025 Annual Threat Report, XWorm detections surged 174% over the past year, with the tool now ranking third among the most detected malware families globally, outpacing legacy RATs such as Remcos and AgentTesla.
Its widespread adoption is driven by accessibility, with lifetime subscriptions available in underground markets for approximately $500, yet capable of enterprise-scale compromise.
The use of LOTL techniques through trusted Microsoft .NET binaries and in-memory execution significantly undermines traditional signature-based and process-monitoring defenses. The AES-256 encryption of both C2 communications and exfiltrated keylog data renders standard network inspection largely ineffective.
The campaign's targeting of a network security company is particularly notable, as a successful compromise could expose sensitive internal network architectures, security tooling configurations, and client data, amplifying downstream risk across the victim's customer base.
Trellix additionally identified CVE-2025-8088, a high-severity path-traversal vulnerability in WinRAR versions 7.12 and earlier, as an active secondary delivery vector in related campaigns, with Discord used to distribute weaponized archives disguised as game modifications or community plugins.
Suggested Corrections:
Organizations should prioritize patching WinRAR to version 7.13 or later to close exposure to CVE-2025-8088, which is actively being weaponized in XWorm delivery chains.
Email security controls should be configured to inspect and quarantine compressed attachments, particularly ZIPs and RARs containing JavaScript files, which XWorm operators favor to bypass mail gateway detections that filter executable attachments.
EDR solutions should be tuned to detect LOTL abuse patterns, specifically reflective DLL injection into legitimate .NET binaries such as Aspnet_compiler[.]exe, as well as anomalous registry persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
Network monitoring teams should hunt for outbound TCP connections on port 7003 and flag communications to 204[.]10[.]160[.]190 and the domain kolanga[.]cc.
User awareness training should be reinforced with specific emphasis on business-contextualized phishing lures, as social engineering remains the primary initial access vector for XWorm deployments.
Link(s):
https://www.trellix.com/blogs/research/malware-as-a-service-redefined-xworm-rat/
XWorm has emerged as the dominant commodity remote access trojan (RAT) in the underground malware market, with version 7.1 representing a significant escalation in capability and sophistication. Trellix researchers analyzed an active XWorm v7.1 campaign targeting a Taiwan-based network security company, delivered via a phishing email containing a malicious ZIP archive with a JavaScript dropper. Upon execution, the JS file contacts a remote server to download an encrypted PowerShell script, which then performs reflective DLL injection into the legitimate Microsoft binary Aspnet_compiler[.]exe, a classic Living off the Land (LOTL) technique designed to evade signature-based defenses.
The injected XWormClient payload operates entirely in memory, conducting anti-virus and anti-VM checks via WMI queries before establishing keylogging activity, writing captured keystrokes to a hidden file in the %TEMP% directory, and exfiltrating encrypted logs to a C2 server at 204[.]10[.]160[.]190 over TCP port 7003.
Persistence is achieved by copying Aspnet_compiler[.]exe to %AppData%\Roaming\XWormClient[.]exe and registering it under the Windows Run registry key.
The malware's post-exploitation plugin suite extends to screen, webcam, and microphone monitoring, password theft, DDoS capability, UAC bypass, and process and service manipulation.
Security Officer Comments:
According to the ANY.RUN 2025 Annual Threat Report, XWorm detections surged 174% over the past year, with the tool now ranking third among the most detected malware families globally, outpacing legacy RATs such as Remcos and AgentTesla.
Its widespread adoption is driven by accessibility, with lifetime subscriptions available in underground markets for approximately $500, yet capable of enterprise-scale compromise.
The use of LOTL techniques through trusted Microsoft .NET binaries and in-memory execution significantly undermines traditional signature-based and process-monitoring defenses. The AES-256 encryption of both C2 communications and exfiltrated keylog data renders standard network inspection largely ineffective.
The campaign's targeting of a network security company is particularly notable, as a successful compromise could expose sensitive internal network architectures, security tooling configurations, and client data, amplifying downstream risk across the victim's customer base.
Trellix additionally identified CVE-2025-8088, a high-severity path-traversal vulnerability in WinRAR versions 7.12 and earlier, as an active secondary delivery vector in related campaigns, with Discord used to distribute weaponized archives disguised as game modifications or community plugins.
Suggested Corrections:
Organizations should prioritize patching WinRAR to version 7.13 or later to close exposure to CVE-2025-8088, which is actively being weaponized in XWorm delivery chains.
Email security controls should be configured to inspect and quarantine compressed attachments, particularly ZIPs and RARs containing JavaScript files, which XWorm operators favor to bypass mail gateway detections that filter executable attachments.
EDR solutions should be tuned to detect LOTL abuse patterns, specifically reflective DLL injection into legitimate .NET binaries such as Aspnet_compiler[.]exe, as well as anomalous registry persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
Network monitoring teams should hunt for outbound TCP connections on port 7003 and flag communications to 204[.]10[.]160[.]190 and the domain kolanga[.]cc.
User awareness training should be reinforced with specific emphasis on business-contextualized phishing lures, as social engineering remains the primary initial access vector for XWorm deployments.
Link(s):
https://www.trellix.com/blogs/research/malware-as-a-service-redefined-xworm-rat/