XWorm v7 RAT: Technical Analysis of Infection Chain, C2 Protocol, and Plugin Architecture

    Thursday, February 12, 2026 In: Threat Research Print

    Date: 02/12/2026

    Severity: High

    Summary

    XWorm v7 RAT is a modular, malware-as-a-service Remote Access Trojan active since 2022, widely adopted by cybercriminals for its ease of deployment and extensive post-compromise capabilities. The analyzed campaign demonstrates a full infection chain beginning with phishing-based delivery, followed by in-memory execution, encrypted C2 communication, and the use of plugin-based modules enabling credential theft, surveillance, DDoS activity, and even ransomware deployment—showcasing a flexible and evasive architecture built for persistence and scalable abuse.

    Indicators of Compromise (IOC) List

    URLs/Domains

    https://res.cloudinary.com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg

    https://pub-3bc1de741f8149f49bdbafa703067f24.r2.dev/us.txt

    IP Address

    158.94.209.180

    Hash

    de7d74d374a4422c5084280ff71f7942d61f35c271df7d5af01bdd756d0f630b

    3f4c3c16f63fb90d1fd64b031d8a9803035f3cb18332e198850896881fb42fe5

    c3bfedae725f159691c203d1f0cdbb9a5cf42777e3d681f923e83e1d1bc74c0f

    4140d26ecad2fd8a3ea326ee49f5dd8bda3696e0d1ae6e756db6d61d70bf3af4

    eacd8e95ead3ffe2c225768ef6f85672c4bfdf61655ed697b97f598203ef2cf6

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://res.cloudinary.com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg" or siteurl like "https://res.cloudinary.com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg" or url like "https://res.cloudinary.com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg" or domainname like "https://pub-3bc1de741f8149f49bdbafa703067f24.r2.dev/us.txt" or siteurl like "https://pub-3bc1de741f8149f49bdbafa703067f24.r2.dev/us.txt" or url like "https://pub-3bc1de741f8149f49bdbafa703067f24.r2.dev/us.txt"

    Detection Query 2 :

    dstipaddress IN ("158.94.209.180") or srcipaddress IN ("158.94.209.180")

    Detection Query 3 :

    sha256hash IN ("3f4c3c16f63fb90d1fd64b031d8a9803035f3cb18332e198850896881fb42fe5","de7d74d374a4422c5084280ff71f7942d61f35c271df7d5af01bdd756d0f630b","eacd8e95ead3ffe2c225768ef6f85672c4bfdf61655ed697b97f598203ef2cf6","4140d26ecad2fd8a3ea326ee49f5dd8bda3696e0d1ae6e756db6d61d70bf3af4","c3bfedae725f159691c203d1f0cdbb9a5cf42777e3d681f923e83e1d1bc74c0f")

    Reference:    

    https://gurucul.com/blog/xworm-v7-rat-technical-analysis-of-infection-chain-c2-protocol-and-plugin-architecture/#introduction


    Tags

    MalwareXWormRATMaaSPhishingCredentialTheftDDoS Attacks

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.