XWorm V6: Exploring Pivotal Plugins
Oct. 6, 2025, 7:17 p.m.
Description
Since the release of XWorm V6.0 on June 4, 2025, we have noted a surge in samples identified as XWorm V6.0 on VirusTotal, reflecting its rapid adoption by threat actors. One prominent campaign illustrates its delivery: a malicious JavaScript (JS) file initiates a PowerShell (PS1) script, which deploys an injector to deliver the XWorm Client.
Tags
Date
- Created: Oct. 6, 2025, 6:58 p.m.
- Published: Oct. 6, 2025, 6:58 p.m.
- Modified: Oct. 6, 2025, 7:17 p.m.
Indicators
- f279a3fed5b96214d0e3924eedb85907f44d63c7603b074ea975d1ec2fdde0b4
- d46bb31dc93b89d67abffe144c56356167c9e57e3235bfb897eafc30626675bb
- df0096bd57d333ca140331f1c0d54c741a368593a4aac628423ab218b59bd0bb
- b314836a3ca831fcb068616510572ac32e137ad31ae4b3e506267b429f9129b1
- 995869775b9d43adeb7e0eb34462164bcfbee3ecb4eda3c436110bd9b905e7ba
- 8d04215c281bd7be86f96fd1b24a418ba1c497f5dee3ae1978e4b454b32307a1
- 8514a434b50879e2b8c56cf3fd35f341e24feae5290fa530cc30fae984b0e16c
- 760a3d23ee860cf2686a3d0ef266e7e1ad835cc8b8ce69bfe68765c247753c6b
- 8106b563e19c946bd76de7d00f7084f3fc3b435ed07eb4757c8da94c89570864
- 6a0c1f70af17bd9258886f997bb43266aa816ff24315050bbf5f0e473d059485
- 5314c7505002cda1e864eced654d132f773722fd621a04ffd84ae9bc0749b791
- 64cbbbf90fe84eda1a8c2f41a4d37b1d60610e7136a02472a72c28b6acadc2fc
- 5123b066f4b864e83bb14060f473cf5155d863f386577586dd6d2826e20e3988
- 4ce4dc04639d673f0627afc678819d1a7f4b654445ba518a151b2e80e910a92c
- 4d225af71d287f1264f3116075386ac2ce9ee9cd26fb8c3a938c2bf50cca8683
- 33ee1961e302da3abc766480a58c0299b24c6ed8ceeb5803fa857617e37ca96e
- 31376631aec4800de046e1400e948936010d9bbedec91c45ae8013c1b87564d0
- 1990659a28b2c194293f106e98f5c5533fdad91e50fdeb1a9590d6b1d2983ada
- 2b507d3ae01583c8abf4ca0486b918966643159a7c3ee7adb5f36c7bd2e4d70e
- 0c2bf36dd9ccb3478c8d3dd7912bcfc1f5d910845446e1adfd1e769490287ab4
- 000185a17254cd8863208d3828366ec25ddd01596f18e57301355d4a33eac242
- 570e4d52b259b460aa17e8e286be64d5bada804bd4757c2475c0e34a73aeb869