XWorm

In parallel to the Discord campaign, the attackers also published a malicious npm package: Package: @kindo/selfbot Versions: 1.0.0 through 1.0.4 Claimed purpose: "Just a selfbot" Actual purpose: Malware dropper

Phishing emails remain the dominant delivery method, accounting for 61% of threats that reached endpoints. One campaign used realistic invoice-themed emails to trick recipients into opening SVG attachments.

One campaign used realistic invoice-themed emails to trick recipients into opening SVG attachments... Another wave of phishing leaned on PDF attachments... One delivery chain involved IMG archives attached to phishing emails.

основним каналом доставки шкідливих програм є популярні месенджери, а методи первинного проникнення передбачають використання елементів соціальної інженерії

guarantees persistence on other environments through the 'XClient' scheduled task

These so-called “living off the land” binaries allowed them to execute commands, copy files, and decode hidden payloads... The script that followed was a lightweight reverse shell, providing attackers with command execution and data collection.

a covert .LNK file, which prompts nefarious PowerShell commands commencing the multi-stage infection process upon execution ... XWorm taps PowerShell commands to prevent Windows Defender detection

The script downloads https://astralwarfare[.]fr/script.bat and executes it.

PowerShell scripts extracted the hidden data, then MSBuild, a Microsoft tool, ran the malware.

Illicit actors have distributed phishing emails with a covert .LNK file, which prompts nefarious PowerShell commands commencing the multi-stage infection process upon execution

guarantees persistence on other environments through the 'XClient' scheduled task

The malware achieves firewall disablement by creating a specific registry entry at "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DisableFirewall".

The resulting process tree indicates an alternative user, HRDP4$, is the owner of the created Firefox process. The new user is created in order to use a different remote connection session than the victim to avoid visual anomalies.

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Patchhelp_beta.lnk ... Streamsvc.lnk ... appBg.lnk

guarantees persistence on other environments through the 'XClient' scheduled task

In the XWorm graphical user interface, attackers have the option of deploying hVNC either in RunPE or in memory. RunPE involves executing the hVNC process by injecting it into a legitimate running process executable... In this example, we identified that the attack leverages the legitimate process cvtres.exe to inject its code.

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Patchhelp_beta.lnk ... Streamsvc.lnk ... appBg.lnk

This eventually led to the execution of obfuscated PowerShell code that unpacked and ran Lumma Stealer in memory... The attackers hid the final payload inside an old Program Information File format, further lowering the chance that users or tools would catch it.

The final XWorm payload was concealed in the pixels of a legitimate image downloaded from a trusted website.

XWorm now also leverages legitimate-looking .exe filenames to disguise itself as harmless applications... one of the dropped executables as `system32.exe`... disguised with a legitimate Discord application icon.

In the XWorm graphical user interface, attackers have the option of deploying hVNC either in RunPE or in memory. RunPE involves executing the hVNC process by injecting it into a legitimate running process executable... In this example, we identified that the attack leverages the legitimate process cvtres.exe to inject its code.

Mitre Tactics And Techniques... Techniques Indicator removal: File deletion

PowerShell scripts extracted the hidden data, then MSBuild, a Microsoft tool, ran the malware.

Base64-encoded strings are fed into the Rijndael decryptor for final decryption.

By hiding malware inside trusted file formats, leaning on built-in system tools... they reduce the chances of being caught early. | One of the most notable campaigns observed in the Q2 of 2025 involved the XWorm remote access trojan. Instead of relying on custom malware alone, attackers chained together multiple built-in Windows tools. These so-called “living off the land” binaries allowed them to execute commands, copy files, and decode hidden payloads without triggering as many alerts.

Compiled HTML Help files, once used for Windows application manuals, are now being weaponized to deliver malware. These files support scripting, making them containers for multi-stage infections.

While it self-terminates upon identifying virtualization

It systematically queries the computer system to acquire a comprehensive profile of the machine, specifically targeting information such as the computer name, the manufacturer of the system, and the specific model.

Staging: Creates C:\ProgramData\IntelDrIver directory Copies itself to C:\ProgramData\IntelDrIver\rEgX.cmd Recursively marks files as hidden/system

The alternative refers to running the hVNC process entirely in the system's RAM without writing any part of it to the disk, making it more stealthy and harder for antivirus programs to detect.

The malware achieves firewall disablement by creating a specific registry entry at "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DisableFirewall".

before proceeding with the remote execution of numerous commands that enable distributed denial-of-service intrusions, URL redirections, system shutdowns, and data gathering for reconnaissance activities

While it self-terminates upon identifying virtualization

It systematically queries the computer system to acquire a comprehensive profile of the machine, specifically targeting information such as the computer name, the manufacturer of the system, and the specific model.

hVNC utilizes the Microsoft Windows Desktop API to craft a hidden desktop via the Windows feature CreateDesktop. This concealed desktop remains invisible to users... hVNC capabilities go beyond mere observation, actively emulating keyboard and mouse input, allowing cybercriminals to navigate compromised systems with precision.

hRDP Hidden Remote Desktop Protocol (hRDP) represents an illicit adaptation of Microsoft's RDP, engineered for covert remote access and control over a compromised computer... Attackers usually accomplish this by reconfiguring the RDP service to listen on a non-standard port and establishing secret user accounts for surreptitious access.

Initial delivery of a text file into the temporary directory of targeted systems is followed by the download of the 'discord.exe' file

the XWorm remote access trojan has become even stealthier

XWorm RAT... Its encryption of communications between the client and server ensures that transactions remain secure and hidden from network monitoring tools. Pandora hVNC... includes a lightweight TCP server for efficient and encrypted remote command and control operations.

SIGTOP та TUSC використовуються для викрадення та вивантаження даних з ЕОМ

commands include actions such as shutting down or restarting the system... initiating DDoS attacks

with the first deactivating Windows Firewall ... XWorm taps PowerShell commands to prevent Windows Defender detection

A key objective of the .exe is to disable the Windows Firewall and also check for the presence of third-party security applications... It adds its path and process to exclusion lists using `ExecutionPolicy Bypass Add-MpPreference -ExclusionPath` and `... -ExclusionProcess`.