XWorm 3.1 already includes a wide array of built-in functionalities: Fadi002/xworm-3.1-modded-by-mrpepe - GitHub
: Provides a command-line interface for executing arbitrary system commands.
: Block high-risk attachment types ( .iso , .lnk , .hta , .vbs , .js ) at the gateway and educate users to recognize phishing lures. xworm 3.1
Security researchers from SonicWall and SOCRadar have noted that cracked versions of this tool are widely available on platforms like GitHub, leading to its rapid proliferation among various threat actors. Malicious PDF delivering Xworm 3.1 payload - SonicWall
URLs for distribution and the inclusion of cryptocurrency-stealing clipboard hijackers. Tinexta Defence (Malware Lab Report): Provides a Technical Analysis of XWorm XWorm 3
XWorm employs a wide range of advanced techniques to ensure it remains on a system and avoids detection. These can be grouped into three main areas: evasion, persistence, and defense impairment.
To maintain a long-term foothold and avoid detection, XWorm 3.1 employs a multi-layered strategy of evasion and persistence. Malicious PDF delivering Xworm 3
focusing on its Malware-as-a-Service (MaaS) model, connection to Telegram C2 (Command and Control) channels, and its relative lack of complex anti-debugging features in certain versions. Core Features of XWorm 3.1 Based on these technical papers, XWorm 3.1 is a Remote Access Trojan (RAT) with several specific capabilities: Stealth & Persistence: It creates a folder named
XWorm is known for its ability to spread across networks autonomously.
The malware actively attempts to disable Windows security features. It can patch the AmsiScanBuffer() function in memory to bypass the Antimalware Scan Interface (AMSI) and deactivate Windows Event Tracing (ETW) by targeting EtwEventWrite() , effectively hiding its activity from security logs. It also modifies Microsoft Defender settings, adding its own file paths and processes to exclusion lists to prevent scanning.