Call Us Now 01744 259941
My Cart
0.00
My Cart
0.00

Xworm V31 Updated Jun 2026

The most distinct change in v3.1 is the removal of the aggressive USB worm functionality present in v2.2.

The malware incorporates multiple layers of obfuscation, including AES encryption, code virtualization, and Base64 encoding, to hinder static analysis and reverse engineering efforts.

[ Compromised Host ] │ ▼ (Sends System Fingerprint via TCP) [ Command & Control Server (C2) ] │ ▼ (Validates Host and Pushes AES-Encrypted Plugins) [ In-Memory Assembly Loading ] ──► (Executes Keylogger, Stealer, or Ransomware)

The updated version features a more resilient infrastructure, using non-standard ports to evade network defenses. The malware decrypts its C2 server host, TCP port (e.g., 6000), and configuration keys only at runtime, reducing the footprint for static analysis. D. Multi-Stage Payload Delivery xworm v31 updated

While not new to RATs, v31 updates its targeting list. It now monitors the clipboard for regex patterns matching:

: This version was noted for including hardcoded cryptocurrency addresses. It monitors the victim's clipboard for crypto wallet strings and replaces them with the attacker's address to reroute transactions.

XWorm employs sophisticated multi-stage infection chains that can incorporate up to 10 distinct payloads and tools. These chains involve PowerShell scripts, VBS scripts, batch files, HTA files, JavaScript, .NET executables, and Office macros, making static detection exceptionally difficult. Each component may be encrypted and obfuscated, decrypting only at runtime. The most distinct change in v3

[Download XWorm_v31_Updated.yar from the Threat Intel repo – Hyperlink redacted for article length ]

Improved anti-analysis and anti-sandbox techniques.

Disables , stops the WinDefend service, and turns off Windows Firewall . The malware decrypts its C2 server host, TCP port (e

The updated malware often loads directly into memory, avoiding the creation of executable files on the disk, which significantly complicates detection.

Researchers have identified several active campaigns delivering v3.1 and newer versions:

: Newer versions include advanced obfuscation and sandbox detection techniques to avoid analysis in virtual environments.

Uses obfuscated scripts to download a .NET-based loader.

Just pushed the latest update for xWorm. Version 3.1 is live now!

Copyright © 2020 Vidya Bharti Uttar Kshetar Prakashan Vibhag - All Rights Reserved.
Vidya Bharti Uttar Kshetar Prakashan Vibhag
Array ( [0] => 50 )