Date: 03/13/2026
Severity: High
Summary
In today’s evolving cybercrime landscape, attackers seek the “perfect” malware—lightweight, modular, and highly stealthy. Underground markets quickly adopt tools that offer strong capabilities while maintaining low detection rates. XWorm has become a leading example of this trend. After the disruption caused by XWorm v6.X, the community is now facing the more powerful Version 7.x. This blog analyzes the XWorm v7.1 kill chain, its market growth, and the Telegram channels selling this advanced RAT.
Indicators of Compromise (IOC) List
Domains\URLs : | https://kolanga.cc/devils/ENCRYPTEDX.ps1 |
IP Address : | 204.10.160.190 |
Hash : | c6739ae299cde3ba604886f86df328ecdeb5ddad440d05b22b71580483a358b3
a699b2b370023fe9a77e6297fae942271debdc8f2a6589f701e5cc84239f2446
2310a8c9c8c8d27053e63afc6ab66e1b2143e36c9e347368850eab5ba7b9dacf
ef0d5541ec1405bc5d383754ac546b51e2a389bcb14c7ddbe37c2225fcf050b6
3e7d97d4896130e2150f79e685dde01f26ed2f0882b9829b385b142c982c9176
3ce1c96dd324e2485328c23eaa9d4bb17a7ee14d06f73de899d5bede07ffb3f1
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://kolanga.cc/devils/ENCRYPTEDX.ps1" or url like "https://kolanga.cc/devils/ENCRYPTEDX.ps1" or siteurl like "https://kolanga.cc/devils/ENCRYPTEDX.ps1" |
Detection Query 2 : | dstipaddress IN ("204.10.160.190") or srcipaddress IN ("204.10.160.190") |
Detection Query 3 : | sha256hash IN ("3ce1c96dd324e2485328c23eaa9d4bb17a7ee14d06f73de899d5bede07ffb3f1","3e7d97d4896130e2150f79e685dde01f26ed2f0882b9829b385b142c982c9176","a699b2b370023fe9a77e6297fae942271debdc8f2a6589f701e5cc84239f2446","c6739ae299cde3ba604886f86df328ecdeb5ddad440d05b22b71580483a358b3","2310a8c9c8c8d27053e63afc6ab66e1b2143e36c9e347368850eab5ba7b9dacf","ef0d5541ec1405bc5d383754ac546b51e2a389bcb14c7ddbe37c2225fcf050b6")
|
Reference:
https://www.trellix.com/blogs/research/malware-as-a-service-redefined-xworm-rat/