XWorm V6.0 Resurfaces: Modular RAT Returns with Ransomware Plugin and Advanced Evasion

The latest analysis from Trellix ARC reveals the unexpected return of XWorm, a notorious Remote Access Trojan (RAT) that had seemingly reached its end in 2024. Now re-emerging as XWorm V6.0, the malware demonstrates expanded plugin capabilities, advanced persistence methods, and a troubling tie to ransomware operations.

Originally developed by a threat actor known as XCoder, XWorm became infamous for its modular architecture and versatile plugins. However, its lifecycle appeared to end abruptly. As Trellix notes, “During the latter half of 2024, following the release of XWorm V5.6, XCoder abruptly deleted their account, ending official support and leaving V5.6 as the presumed final version.” This led to cracked and trojanized versions circulating underground, often infecting operators themselves.

But on June 4, 2025, a new actor calling themselves XCoderTools announced the release of XWorm V6.0 on hackforums. The report explains, “This post announced the release of XWorm V6.0, notably claiming a fix for the previously identified RCE vulnerability along with other critical updates.” While the true identity of this developer remains uncertain, the malware has already gained traction among cybercriminal groups.

Trellix researchers dissected a prominent XWorm V6.0 campaign, which begins with a malicious JavaScript file delivered via phishing. The chain proceeds with a PowerShell script that disables AMSI (Antimalware Scan Interface), followed by an injector that stealthily loads the malware into a legitimate Windows process like RegSvcs.exe.

As the report highlights: “Once injected, the XWorm V6.0 Client takes over. It connects to its Command and Control (C2) server… and lets the attacker perform malicious activities.”

XWorm’s true power lies in its plugin system, and V6.0 brings an arsenal of over 35+ DLL-based modules. These include:

• RemoteDesktop.dll – enabling full remote interaction with victims’ machines.
• Stealer and WindowsUpdate.dll – extracting credentials and data from a wide range of browsers and applications.
• FileManager.dll – providing filesystem manipulation and even encryption/decryption of files.
• Webcam.dll – recording victims, sometimes used to verify that the target is a real machine.

Trellix emphasizes the versatility of these tools: “XWorm RAT Operators execute additional malware, such as DarkCloud Stealer, Hworm, Snake KeyLogger, and even Coin Miners.”

The malware also features sophisticated persistence mechanisms, ranging from registry-based run keys to abuse of Windows’ ResetConfig.xml—a trick also seen in malware families like Pulsar RAT.

Perhaps most concerning is its ransomware plugin. According to Trellix, “XWorm has a plugin with ransomware functionality, which allows RAT Operators to encrypt and decrypt files.” Once executed, it customizes ransom notes, changes desktop wallpapers, and encrypts user files with AES-CBC, borrowing code from the earlier NoCry ransomware.

The underground distribution of XWorm V6.0 adds another twist. Trellix reports, “On June 27, 2025, the cracked version of the XWorm V6.0 builder was released by the team behind the Celestial Project (RAT)… We also observed one of the XWorm C2 servers using the RemoteDesktop.dll plugin, which re-infects the victim with another instance of XWorm malware.” In a bizarre turn, even operators deploying the malware have been compromised by infected builds.

Related Posts:

• XWorm’s Shape-Shifting Arsenal: RAT Evolves to Deliver LockBit Ransomware, Evades Detection
• Beyond Simple Scripts: A New XWorm Campaign Uses Multi-Stage Stealth
• XWorm Unveils Stealthier Techniques in Latest Malware Evolution
• XWorm 6.0: New Variant Uses AMSI Bypass & Critical Process Trick to Evade Detection and Crash Systems