Deep Dive Into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails

    Wednesday, February 11, 2026 In: Threat Research Print

    Date: 02/11/2026

    Severity: High

    Summary

    XWorm is a multi-functional Remote Access Trojan (RAT) first identified in 2022 and still actively distributed, including via Telegram marketplaces. Once installed, it grants attackers full remote control over compromised Windows systems. This campaign uses phishing emails with social engineering tactics to trick recipients into opening a malicious attachment. The attached Excel file exploits CVE-2018-0802 to download and execute an HTA file, which then launches PowerShell. PowerShell loads a fileless .NET module into memory, using process hollowing to inject and run XWorm inside a new Msbuild.exe process.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    https://retrodayaengineering.icu/HGG.hta

    https://res.cloudinary.com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg

    http://pub-3bc1de741f8149f49bdbafa703067f24.r2.dev/wwa.txt

    berlin101.com

    Hash : 

    EE663D016894D44C69B1FDC9D2A5BE02F028A56FC22B694FF7C1DACB2BBBCC6D

    3F4C3C16F63FB90D1FD64B031D8A9803035F3CB18332E198850896881FB42FE5

    FD9BA9E6BD4886EDC1123D4074D0EAC363DF61162364530B1303390AA621140B

    EACD8E95EAD3FFE2C225768EF6F85672C4BFDF61655ED697B97F598203EF2CF6

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://retrodayaengineering.icu/HGG.hta" or url like "https://retrodayaengineering.icu/HGG.hta" or siteurl like "https://retrodayaengineering.icu/HGG.hta" or domainname like "berlin101.com" or url like "berlin101.com" or siteurl like "berlin101.com" or domainname like "https://res.cloudinary.com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg" or url like "https://res.cloudinary.com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg" or siteurl like "https://res.cloudinary.com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg" or domainname like "http://pub-3bc1de741f8149f49bdbafa703067f24.r2.dev/wwa.txt" or url like "http://pub-3bc1de741f8149f49bdbafa703067f24.r2.dev/wwa.txt" or siteurl like "http://pub-3bc1de741f8149f49bdbafa703067f24.r2.dev/wwa.txt"

    Detection Query 2 :

    sha256hash IN ("3F4C3C16F63FB90D1FD64B031D8A9803035F3CB18332E198850896881FB42FE5","EACD8E95EAD3FFE2C225768EF6F85672C4BFDF61655ED697B97F598203EF2CF6","FD9BA9E6BD4886EDC1123D4074D0EAC363DF61162364530B1303390AA621140B","EE663D016894D44C69B1FDC9D2A5BE02F028A56FC22B694FF7C1DACB2BBBCC6D")

    Reference:     

    https://www.fortinet.com/blog/threat-research/deep-dive-into-new-xworm-campaign-utilizing-multiple-themed-phishing-emails


    Tags

    MalwareVulnerabilityCVE-2018XWormRATPhishingTelegramSocial EngineeringExploit

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.