New variants of the XWorm backdoor malware are being actively spread through phishing campaigns after its original creator, known as XCoder, abandoned the project last year.

The latest editions — XWorm 6.0, 6.4, and 6.5 — have been adopted by multiple cybercriminal groups. These updated versions include plugin support that enables a wide range of malicious activities, from data theft and remote system access to file encryption and decryption.

The most recent release developed by XCoder was version 5.6, which contained a remote code execution (RCE) vulnerability. The newly distributed variants reportedly fix that flaw while introducing enhanced attack features.

First detected in 2022, XWorm gained notoriety for its modular structure and broad feature set. It’s primarily used to harvest sensitive data such as passwords, cryptocurrency wallets, and financial information. The malware can also record keystrokes, extract clipboard data, perform DDoS attacks, and deliver other malicious payloads.

After XCoder deleted their Telegram channels, cracked versions of the malware began circulating widely, with various threat actors distributing them. In fact, one campaign even used XWorm itself as bait to target less-experienced hackers—infecting over 18,000 systems globally, primarily across Russia, the U.S., India, Ukraine, and Turkey.

A new version of XWorm appeared on a hacker forum, advertised by a user named XCoderTools, who offered access for a $500 lifetime subscription. Although it’s unclear if this is the same developer, the user claimed that the new versions fixed the RCE issue and introduced multiple updates.

Cybersecurity researchers at Trellix have observed a rise in XWorm samples on VirusTotal since June, suggesting the malware’s increasing popularity among threat actors.

In one campaign, XWorm was distributed using malicious JavaScript that executed a PowerShell script capable of bypassing Microsoft’s Antimalware Scan Interface (AMSI) to install the backdoor.

According to Trellix’s September report, “the XWorm malware infection chain has evolved to include additional techniques beyond traditional email-based attacks.” While .LNK files and email attachments remain common entry points, newer variants disguise themselves as legitimate executables — even mimicking applications like Discord.

“This marks a shift towards combining social engineering with technical attack vectors for greater effectiveness,” Trellix explained.

Further analyses revealed campaigns using AI-themed phishing lures and a modified version of ScreenConnect, as well as cases where malicious Excel files (.XLAM) embedded with shellcode delivered the payload.

Trellix researchers uncovered over 35 plugins associated with the latest XWorm versions, significantly expanding its functions — including a ransomware component.

The Ransomware.dll plugin allows attackers to lock victims’ files, demand payment, and customize ransom notes, wallpaper messages, and Bitcoin wallet details. The encryption avoids system-critical directories, focusing on user folders like %USERPROFILE% and Documents. Encrypted files are appended with the .ENC extension, while a ransom instruction HTML file is dropped on the desktop.

Code analysis revealed similarities between XWorm’s ransomware module and the NoCry ransomware from 2021, both using the same encryption methods (AES-CBC with 4096-byte blocks).

Beyond ransomware, other identified modules include:

With modules designed to steal data from more than 35 browsers, email clients, and crypto wallets, the malware represents a serious risk to both individuals and organizations.

Trellix recommends a multi-layered cybersecurity defense, including EDR solutions for detecting malicious behavior, and email/web gateways to block droppers. Network monitoring tools can also help identify communications with command-and-control (C2) servers and prevent data exfiltration.