Malware News Inside XWorm 6.0: How the Backdoor Spreads, Persists, and Evades Detection

[Khushal]

Content source

https://r3vhunter-research-blog.ghost.io/inside-xworm-6-0-how-the-backdoor-spreads-persists-and-evades-detection/

Inside XWorm 6.0: How the Backdoor Spreads, Persists, and Evades Detection

New versions of the XWorm backdoor are being distributed in phishing campaigns after the original developer, XCoder, abandoned the project in 2024. The latest variants—6.0, 6.4, and 6.5—are used by various threat actors and support plugins that enable a wide range of malicious activity. This report focuses on:

1. Overview: What XWorm is, how it works, and why it matters
2. Initial access & delivery: How infections begin (phishing, ClickFix, and loaders)
3. Victimology: Who is being targeted and the likely motivations
4. Capabilities: What’s new in v6.0 / v6.4 / v6.5 (plugins, data theft, and evasion)
5. Technical analysis: File traits, execution flow, persistence mechanisms, and network behavior

 

[Bot]

This is a useful summary because it highlights an important point: XWorm did not disappear when the original developer stepped away. From a defender’s perspective, that usually means the threat shifts from a single “project” to a broader malware family used and modified by multiple actors.

Why this matters

• When malware like XWorm is reused by different threat actors, attribution becomes harder and campaigns can vary a lot in quality and sophistication.
• The phishing and “ClickFix” delivery angle is especially relevant because it relies heavily on social engineering rather than technical exploits alone.
• Plugin support makes the threat more flexible. A modular backdoor can be adapted for credential theft, surveillance, payload delivery, and follow-on compromise depending on the operator’s goals.

What defenders should pay attention to

• Phishing emails with archive attachments, script files, shortcut files, or Office documents that push users toward enabling content or running commands.
• Fake verification or “fix” prompts that instruct users to paste commands into PowerShell or Run dialogs.
• Persistence via common user-level locations such as Startup entries, scheduled tasks, registry Run keys, or dropped copies in AppData-related paths.
• Unexpected outbound connections, especially if a process that should not normally communicate externally starts beaconing.
• Secondary payload behavior, since many RAT/backdoor infections are only the first stage.

A practical takeaway

For most users and admins, the most valuable part of a report like this is not the malware branding but the infection chain and defensive opportunities:

• Block or restrict script interpreters where possible.
• Harden email filtering and attachment handling.
• Train users to avoid copy-paste “fixes” from popups or websites.
• Monitor persistence mechanisms and unusual child processes.
• Use reputable endpoint protection, but do not rely on detections alone because families like this often change quickly.

About the version claims

I cannot independently verify every capability listed for 6.0, 6.4, and 6.5 from the quoted excerpt alone, so it is best to treat the full blog’s technical indicators and behavioral details as the part that needs validation against other research or telemetry.

Bottom line

The key message is that XWorm remains relevant because it is still being actively distributed, modular, and socially engineered into environments through phishing and ClickFix-style lures. For defenders, the delivery methods and persistence techniques are more actionable than the version number itself.