XWorm’s Evolving Infection Chain: From Predictable to Deceptive

    Thursday, September 4, 2025 In: Threat Research Print

    Date: 09/04/2025

    Severity: Medium

    Summary

    The XWorm backdoor campaign has shifted from predictable delivery methods to more sophisticated, deceptive techniques. While it still uses phishing emails and .lnk files for initial access, it now disguises malicious executables with legitimate-looking names like 'discord.exe'. This new multi-stage infection chain uses PowerShell commands to drop and execute hidden payloads, culminating in the deployment of XWorm via 'system32.exe'. The campaign combines social engineering and technical evasion to improve stealth and persistence.

    Indicators of Compromise (IOC) List

    IP Address

    85.203.4.232

    Hash

    c2f66498298c1af28da64eb5392a4a6e

    4e98e45377fbf1390676ca36dbef0b85

    cb3241ff094bb1292dc7841148a7431e

    7c1129af104acf9cc4c0793077e9c5df

    72eb8c4ffd6d5f721ed3ee121264b53f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    dstipaddress IN ("85.203.4.232") or srcipaddress IN ("85.203.4.232")

    Detection Query 2 :

    md5hash IN ("4e98e45377fbf1390676ca36dbef0b85","cb3241ff094bb1292dc7841148a7431e","7c1129af104acf9cc4c0793077e9c5df","c2f66498298c1af28da64eb5392a4a6e","72eb8c4ffd6d5f721ed3ee121264b53f")

    Reference:    

    https://www.trellix.com/blogs/research/xworms-evolving-infection-chain-from-predictable-to-deceptive/         


    Tags

    MalwareXWormBackdoor

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.