Beyond Simple Scripts: A New XWorm Campaign Uses Multi-Stage Stealth

Researchers at the Trellix Advanced Research Center have identified a sophisticated new campaign leveraging the XWorm backdoor, marking a significant shift in deployment methods. Once reliant on more predictable infection vectors, XWorm operators are now adopting intricate, multi-stage tactics designed for stealth, persistence, and evasion.

As Trellix notes, “the current campaign reveals a deliberate move towards more deceptive and intricate methods, designed to evade detection and increase the success rate of the malware.”

The attack often begins with a malicious .lnk shortcut file delivered via phishing emails. When executed, the shortcut runs a hidden PowerShell command that drops a file (payload.txt) containing a taunting string, then downloads a fake Discord executable from a remote server.

This Discord.exe, cleverly disguised with the Discord icon, drops two additional executables:

• main.exe → a packed loader that disables security tools.
• system32.exe → the actual XWorm payload, masquerading as a core Windows system file.

Trellix highlights the stealthy naming convention: “a critical observation in this attack chain is the deliberate naming of one of the dropped executables as system32.exe, a name that directly imitates a legitimate and vital Windows operating system file.”

The main.exe stage is heavily packed, carrying embedded .pyd modules and a crucial main.dll. This loader focuses on neutralizing defenses:

• Disables Windows Firewall by modifying registry keys.
• Detects security applications to avoid interference.
• Uses Nuitka (Python-to-C compiler) to complicate reverse engineering.

The main.dll includes TLS callbacks—a technique enabling code execution before the program’s official entry point, further complicating analysis.

The final payload, system32.exe, introduces XWorm’s extensive backdoor capabilities:

• Virtualization checks: terminates if run in sandboxes (to evade researchers).
• Persistence: creates a scheduled task named XClient to run every minute, and adds a registry entry for startup execution.
• PowerShell exclusions: modifies Windows Defender settings to whitelist itself, ensuring it runs unhindered.

XWorm then renames itself Xclient.exe, continuing operations under a new disguise.

XWorm employs layered cryptography to secure its operations. Trellix explains: “The malware uses the Rijndael cipher block to build a strong decryptor… Base64-encoded strings are fed into the Rijndael decryptor for final decryption.”

This process hides critical configuration data, including:

• C2 IPs and domains
• Malware commands
• Internal identifiers

Through its C2 infrastructure, XWorm can:

• Shut down or restart systems.
• Download additional payloads.
• Open malicious URLs.
• Launch DDoS attacks, converting victims into botnet nodes.

Earlier versions of XWorm relied on predictable .bat, .vbs, or .hta scripts for deployment. Today, it directly delivers executable payloads disguised with trusted filenames and icons—a leap in sophistication that increases success rates.

Trellix warns, “This rapid evolution of XWorm within the threat landscape, and its current prevalence, highlights the critical importance of robust security measures to combat ever-changing threats.”

Related Posts:

• XWorm’s Shape-Shifting Arsenal: RAT Evolves to Deliver LockBit Ransomware, Evades Detection
• XWorm 6.0: New Variant Uses AMSI Bypass & Critical Process Trick to Evade Detection and Crash Systems
• XWorm Unveils Stealthier Techniques in Latest Malware Evolution
• Over 18,000 Devices Compromised in XWorm RAT Builder Campaign
• A Deceptive AI Lure Is Hiding ScreenConnect & XWorm RAT to Hijack Your PC