New XWorm V6 Variant Infected Windows Applications with Malicious Code
“Trusted Windows Applications are being affected by a malicious code via the latest XWorm V6 variant.”
Being informed is not only advantageous in the ever-changing world of cyber threats but also essential. When XWorm was first discovered in 2022, it immediately became known as a very potent piece of malware that gave hackers a wide range of tools to use for their nefarious purposes.
The foundation of XWorm’s modular architecture is a core client and a variety of specialized parts called plugins. In essence, these plugins are extra payloads meant to perform particular destructive tasks as soon as the main virus is activated.
Because of its versatility, attackers can exploit XWorm’s capabilities for a variety of goals, from constant monitoring to data theft and system control.
Comprehending these plugins is essential for cybersecurity experts protecting their companies, as well as cybersecurity product users looking to strengthen their defenses against such common dangers.
Trellix ARC has kept a careful eye on XWorm’s development, including its most recent comeback. In this article, we’ll delve further to examine a campaign that uses XWorm V6.0 and, more crucially, analyze the main plugins and extra payloads, such as a persistence script.
From Desertion to Anarchy
Regular updates on XWorm’s development, spearheaded by “XCoder,” were disseminated via Telegram. Following the release of XWorm V5.6 in late 2024, XCoder terminated official support and left V5.6 as the version that was thought to be final.
Threat actors subsequently disseminated V5 cracks. Six builders were infected by trojans that unintentionally affected operators. CloudSEK and DMPdump have reported trojanized builders and altered distributions, while XSPY, a Chinese-language variant, has surfaced.
Another setback was the discovery of a serious remote code execution flaw in V5.6 that allowed attackers to run arbitrary code using the C2 encryption key—an exploit that was confirmed in labs.
Many experts shifted their focus elsewhere after concluding that XWorm was no longer a threat, but malware retirement is rarely permanent.
“XCoderTools” posted an announcement of XWorm V6.0 on hackforums.net on June 4, 2025, claiming improvements and solutions for the RCE vulnerability.
There was a lot of doubt: was XCoderTools the real author, or was it just a shady character taking advantage of XWorm’s good name? Operators were forced to mirror on Signal after two Telegram channels, one for updates and the other for discussion, surfaced but were continually banned.
The authenticity of V6.0 is still being questioned, despite community videos showcasing new features. VirusTotal detections of XWorm V6.0 have increased since its release, highlighting the threat actors’ quick uptake.
Plugin Arsenal and Infection Chain
A well-known V6.0 campaign starts with a malicious JavaScript file that displays a harmless PDF decoy and downloads and runs a PowerShell script.
RemoteDesktop.dll, Stealer.dll, FileManager.dll, Shell.dll, and ransomware.dll are notable payloads. The latter drops ransom notes and wallpapers, encrypts files using AES-CBC keyed by a SHA-512 hash of the client ID, and sets registry flags to monitor the encryption status.
This technique is mirrored in decryption. With further modules enabling rootkit installation and factory-reset persistence in leaked V6.4 builds, V6 has more than 35 plugins.
Persistence and Changing Danger
To withstand reinstalls, persistence scripts that are distributed as VBS or .wsf files generate registry run keys, scheduled tasks, and even ResetConfig.xml for push-button resets.
From admin-level factory reset hooks to logon scripts, operators use four different persistence techniques.
A self-propagating issue wherein builders themselves host malware is shown by the fact that cracked V6 builders further spread infected builders.
The resurgence of XWorm V6 emphasizes that malware threats never fully go away. Its sophisticated injection tactics and modular plugin architecture necessitate defenses that go beyond signature-based prevention.
A multi-layered posture is necessary, including proactive email and web gateways to stop initial droppers, endpoint detection and response to detect unusual process injections, and ongoing network monitoring to identify C2 communications.
Agile, behavior-focused security technologies are essential in an ever-changing threat landscape to keep one step ahead of adversaries.
IOC
Here is the data presented in tabular form:
| SHA256 | Name |
| 995869775b9d43adeb7e0eb34462164bcfbee3ecb4eda3c436110bd9b905e7ba | OSHA_Investigation_Case_0625OQI685837AW.pdf.js |
| 4ce4dc04639d673f0627afc678819d1a7f4b654445ba518a151b2e80e910a92c | payload_1.ps1 |
| 8514a434b50879e2b8c56cf3fd35f341e24feae5290fa530cc30fae984b0e16c | ClassLibrary7.dll |
| 570e4d52b259b460aa17e8e286be64d5bada804bd4757c2475c0e34a73aeb869 | XWormClient.exe |
| 000185a17254cd8863208d3828366ec25ddd01596f18e57301355d4a33eac242 | RunShell.exe |
| 4d225af71d287f1264f3116075386ac2ce9ee9cd26fb8c3a938c2bf50cca8683 | 000053AB01136548.wsf |
| 760a3d23ee860cf2686a3d0ef266e7e1ad835cc8b8ce69bfe68765c247753c6b | 00001EF600EEBD20.wsf |
| 8106b563e19c946bd76de7d00f7084f3fc3b435ed07eb4757c8da94c89570864 | win32.exe |
| 1990659a28b2c194293f106e98f5c5533fdad91e50fdeb1a9590d6b1d2983ada | chrome_decrypt.dll |
| d46bb31dc93b89d67abffe144c56356167c9e57e3235bfb897eafc30626675bb | ChromiumDecryption |
| f279a3fed5b96214d0e3924eedb85907f44d63c7603b074ea975d1ec2fdde0b4 | WindowsUpdate.dll |
| 31376631aec4800de046e1400e948936010d9bbedec91c45ae8013c1b87564d0 | RemoteDesktop.dll |
| 5123b066f4b864e83bb14060f473cf5155d863f386577586dd6d2826e20e3988 | RemoteDesktop.dll |
| b314836a3ca831fcb068616510572ac32e137ad31ae4b3e506267b429f9129b1 | FileManager.dll |
| 5314c7505002cda1e864eced654d132f773722fd621a04ffd84ae9bc0749b791 | TCPConnections.dll |
| 33ee1961e302da3abc766480a58c0299b24c6ed8ceeb5803fa857617e37ca96e | merged.dll |
| 2b507d3ae01583c8abf4ca0486b918966643159a7c3ee7adb5f36c7bd2e4d70e | SystemCheck.Merged.dll |
| df0096bd57d333ca140331f1c0d54c741a368593a4aac628423ab218b59bd0bb | shell.dll |
| 0c2bf36dd9ccb3478c8d3dd7912bcfc1f5d910845446e1adfd1e769490287ab4 | Stealer.dll |
| 64cbbbf90fe84eda1a8c2f41a4d37b1d60610e7136a02472a72c28b6acadc2fc | Ransomware.dll |
| 6a0c1f70af17bd9258886f997bb43266aa816ff24315050bbf5f0e473d059485 | Rootkit.dll |
| 8d04215c281bd7be86f96fd1b24a418ba1c497f5dee3ae1978e4b454b32307a1 | ResetSurvival.dll |
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
Using FoalShell and StallionRAT, a New “Cavalry Werewolf” Attack Targets Russian Agencies
About Author
English