Monday, May 5, 2025
HomeCyber Security NewsXWorm Sold Malware-as-a-service Opens Vast Hacking Opportunities

XWorm Sold Malware-as-a-service Opens Vast Hacking Opportunities

Published on

SIEM as a Service

Follow Us on Google News

XWorm is a RAT (Remote Access Trojan), a malware-as-a-service. It was first discovered in July 2022 and is known to have originated from the ex-USSR.

The malware is capable of multiple things, such as stealing sensitive data and cryptocurrency, launching DDoS attacks, and ransomware deployment.

This malware has gone through several updates ever since its emergence in 2022, and the latest version is known to be 5.0 version as of August 2023.

- Advertisement - Google News

Several threat actors are using it for multi-stage attacks on victims. XWorm is developed in the .NET framework and can be customized with various tools. 

XWorm MaaS

For the initial phase of the attack, threat actors send a phishing email containing a malicious Word document that loads a .rtf file when opened.

This file contains an Excel sheet with macros enabled for executing a PowerShell script that downloads the XWorm malware to the victim’s system.

XWorm has several capabilities, which include encrypted communication with the C2 server, Information gathering, Account Hijacking, User activity tracking, access to the clipboard, file management, etc., 

Source: ANY RUN
Source: ANY RUN

UAC Bypass & Persistence

To bypass the UAC control in Windows systems, the malware attempts to escalate its privileges to that of an administrator, which will allow the malware to make changes without the victim’s consent. 

For persistence on the infected systems, the malware adds itself to the startup list of programs that run when the computer starts.

Additionally, the malware is also capable of terminating its execution if the malware is installed inside a sandbox environment.

Furthermore, a complete report about this malware has been published by ANY RUN and provides detailed information on the execution process, code analysis, and other information.

Indicators of Compromise

IP addresses

  • 185.179.218[.]240
  • 95.32[.]98.110
  • 91[.]107.127.116

Hashes

  • F1CD899D09E247B9206F04E519E4FD5D3A4EB7E0A47F7577141B7BF71FDD4A60
  • C7CE7B4759034BAC5F89F206D0A08F3150CB4D6257F19B0EF02FC3C316D6507D
  • 049BC312BB80264BBA937B76BE6293ADCF0FE02A0DC879247DBBB8B7B6E9C051
  • 4941D43A0D8ACD464841E158ECD7B460B1B5C203587509E49341F5817674D7E2
  • 853141ECAB59614B4BD0E5ECD204A79E5856CD2AAA8464A6084B4C1BA2960610
  • D108BD602546078F3BAD759A985C7B3DFB78C5CB0E7DB8A18B97965C74ADD758
  • 243AE09600615F482240E4AAD32FC2211FD3EB90E8C13074BC3FB6A2555B2C95
  • 36744630552440395CA6062A6A6B6634791193AFC423BD77C9EEA84F210CFB83
  • E85F1E70C671DC54747BB12FC11DCF307F027AFFE9529AD153B595F83813FD6A
  • 6FB1F9B6610F5F275A70817B8BB93D15B942AF9AB166B94E24305B6F51C5D188
  • CC45D38FA00C5AEB33BDF842166460117B5E70B0B4FCF5BB6EF9747EC0B0575F
  • 47CFC580A33A5AAA4F3CBA9DCC34DD70D30363155B80B91A70B99F9E6BF8C7FC
  • 5AE7320BD89C825ED9335FD5FF35CD53997D7DD6023818080C1F01D6CCE20527
  • C91B64D2950DE8B7AC82050BF7DFCFB482974842A0E04B5E89CAF3E7EA1CF207
  • B079DD50E4CD9788F984A1F1018984D71D03990C44FBE3089EBE0A595DA4E98A
  • 8EAACAB5FAFCC224BC92007B9DC743F854D35C3D57E4688C7699792EA3470C37
  • BFD9809A1FD4485F2590BB784D5E4CCC249F04B4E7211BC9728A0FE3C88F2B78
  • 18FC313C1C1791643F21892EB9E5D3C50E64390A9A6955560E0C411B9A450509
  • 06E3ABEED1BC98ED56D5587E9732C9D39EA41879C250DFF68CE8815953FCF7AD
  • B3BA308F3408F979F5159E3C4514CA929BF9ACF23C6C70E2051F867BDC9F150D

Domains

swezy.ddns[.]net

0.tcp.ap[.]ngrok.io

atelilian99.ddns[.]net

URLs

  • https://pastebin[.]com/raw/H3wFXmEi:<123456789>
  • https://pastebin[.]com/raw/IP:PORT:KEY
  • https://pastebin[.]com/raw/yppjG8bz
  • https://pastebin[.]com/raw/nAXieb7q
  • https://pastebin[.]com/raw/2L3vs8UY
  • https://pastebin[.]com/raw/GUtADUQ5
  • https://pastebin[.]com/raw/iVUhhYa8
  • https://pastebin[.]com/raw/Q2AUANEc
  • https://pastebin[.]com/raw/S0j6LcjH

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...