XWorm RAT reemerges with increased sophistication

Additional malicious actions have been integrated into the new XWorm 6.0 RAT following the proliferation of a cracked iteration of XWorm 5.6 stemming from the malware operators' abrupt removal of their Telegram account in the second half of 2024, The Hacker News reports. Intrusions spreading XWorm 6.0 involved phishing emails with illicit JavaScript files that show a decoy PDF document while executing a malware-injecting PowerShell code, an analysis from Trellix researchers revealed. XWorm 6.0 features various plugins, including those that support remote session creation, data exfiltration, filesystem access, system command execution, system data collection, infected machine verification, modified r77 rootkit installation, active TCP connection listing, and ransomware distribution. Aside from enabling the deployment of ransomware resembling NoCry, XWorm 6.0 also facilitated injections of the Coin Miner, DarkCloud Stealer, Remcos RAT, Pure Malware, and other payloads. "The unexpected return of XWorm V6, armed with a versatile array of plugins for everything from keylogging and credential theft to ransomware, serves as a powerful reminder that no malware threat is ever truly gone," said Trellix.