Fileless XWorm RAT Campaign Exploiting Legacy Office Vulnerability

The XWorm Remote Access Trojan through multi themed phishing emails that exploit the legacy Microsoft Office vulnerability CVE-2018-0802.

Pulse ID: 698f641c48c5c35cb17319cf
Pulse Link: https://otx.alienvault.com/pulse/698f641c48c5c35cb17319cf
Pulse Author: cryptocti
Created: 2026-02-13 17:49:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #InfoSec #Microsoft #MicrosoftOffice #OTX #Office #OpenThreatExchange #Phishing #RAT #RemoteAccessTrojan #Trojan #Vulnerability #Worm #XWorm #bot #cryptocti

Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails

A sophisticated phishing campaign delivering XWorm RAT has been identified. The attack chain begins with themed emails containing malicious Excel attachments exploiting CVE-2018-0802. When opened, the file downloads an HTA file, which executes PowerShell code to retrieve a fileless .NET module. This module then uses process hollowing to inject the XWorm payload into Msbuild.exe. XWorm 7.2 employs encrypted C2 communication and offers extensive features through plugins, including system control, data theft, DDoS capabilities, and ransomware functionality. The analysis reveals XWorm's modular architecture and advanced evasion techniques, highlighting it as a significant threat.

Pulse ID: 698b72bb0ef7655ccb36c76f
Pulse Link: https://otx.alienvault.com/pulse/698b72bb0ef7655ccb36c76f
Pulse Author: AlienVault
Created: 2026-02-10 18:02:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DDoS #DataTheft #DoS #Email #Excel #InfoSec #MSBuild #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RansomWare #Worm #XWorm #bot #AlienVault

Observed campaign summary:

Initial Access:
• Phishing emails with Excel (.XLAM) attachments
Execution:
• CVE-2018-0802 (EQNEDT32.EXE)
• HTA → mshta.exe
• PowerShell in-memory decoding
Deployment:
• Fileless .NET loader disguised as Microsoft.Win32.TaskScheduler
• Process hollowing into Msbuild.exe
• AES-encrypted C2 packets
• delimited command protocol
• Plugin-based architecture (50+ modules)

Capabilities include credential theft, ransomware, DDoS, system control, registry persistence, and remote command execution.

This campaign demonstrates mature modular RAT engineering combined with social engineering entry points.

Blue teamers - which telemetry source provides the strongest signal here?

Source: https://www.fortinet.com/blog/threat-research/deep-dive-into-new-xworm-campaign-utilizing-multiple-themed-phishing-emails?lctg=330010614

Follow @technadu for ongoing malware analysis and threat intelligence coverage.

#Infosec #MalwareResearch #ThreatIntel #XWorm #RAT #ProcessInjection #EDR #DFIR #CyberDefense #BlueTeam #TechNadu

#xworm SHA256: 166860ad70d99449ce5102e405ea32d1cd8836d5898d09ea2c8b5f979048b48e C2: https://pastebin[.]com/raw/VmEbXE30,82[.]22[.]174[.]187:8000

Top 10 last week's threats by uploads 🌐
⬆️ #Agenttesla 549 (306)
⬇️ #Asyncrat 435 (443)
⬆️ #Dcrat 379 (225)
⬇️ #Xworm 366 (435)
⬇️ #Stealc 360 (475)
⬇️ #Vidar 345 (455)
⬆️ #Salatstealer 235 (206)
⬇️ #Remcos 234 (307)
⬆️ #Gh0st 225 (166)
⬇️ #Quasar 200 (207)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=090226&utm_content=linktoregister#register

#cybersecurity #infosec

#xworm SHA256: 6121ff860dbf7f72ee3fd3ae9e2cfa477dc09fdf9633c6ae7abcb8c7c1d2023d C2: 77[.]105[.]161[.]6:8765

⚠️ In 2025, stealer and RAT activity tripled. #Lumma led with 31K+ detections, while #XWorm grew 4.3x YoY.

Phishing kept pace, driven by MFA-bypassing PhaaS kits like #Tycoon2FA and #EvilProxy.

👨‍💻 See which threats SOC teams should be preparing for next: https://any.run/cybersecurity-blog/malware-trends-2025/?utm_source=mastodon&utm_medium=post&utm_campaign=malware_trends_2025_types&utm_term=030226&utm_content=linktoblog

#cybersecurity #infosec

#xworm dropping #originlogger , and reusing #remcos c2:

https://app.any.run/tasks/9e32da84-ba55-4ac9-96f2-b7ff02d15d6b

Top 10 last week's threats by uploads 🌐
⬆️ #Stealc 475 (311)
⬆️ #Vidar 456 (309)
⬆️ #Asyncrat 444 (360)
⬇️ #Xworm 435 (861)
⬆️ #Remcos 307 (277)
⬆️ #Agenttesla 307 (157)
⬆️ #Reverseloader 303 (143)
⬆️ #Dcrat 227 (88)
⬇️ #Quasar 208 (233)
⬇️ #Salatstealer 206 (221)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=020226&utm_content=linktoregister#register

#cybersecurity #infosec

2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at https://www.malware-traffic-analysis.net/2026/01/06/index.html

I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at https://www.malware-traffic-analysis.net/2026/index.html

Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.

Can't stop, won't stop: TA584 innovates initial access

TA584, a prominent initial access broker targeting organizations globally, demonstrated significant changes in attack strategies throughout 2025. The actor expanded its global targeting, adopted ClickFix social engineering techniques, and began delivering new malware called Tsundere Bot. TA584's operational tempo increased, with monthly campaigns tripling from March to December. The actor uses various delivery methods via email, often sending from compromised individual accounts. TA584's campaigns now feature rapid succession and overlapping, with distinct lure themes and short operational lifespans. The actor has shown adaptability in social engineering, brand impersonation, and payload delivery, making static detection less effective. Recent payloads include XWorm with the 'P0WER' configuration and the newly observed Tsundere Bot, both likely part of Malware-as-a-Service offerings.

Pulse ID: 697a54c77c23553aa2d3be96
Pulse Link: https://otx.alienvault.com/pulse/697a54c77c23553aa2d3be96
Pulse Author: AlienVault
Created: 2026-01-28 18:26:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #SocialEngineering #Worm #XWorm #bot #AlienVault

2nd time I've seen #xworm dropping #phantomstealer so might as well share:

https://app.any.run/tasks/f2961848-ef25-48c3-b73c-2c5e137db501

⚠️ In 2025, #Lumma led detections with 31K+ cases, while #XWorm saw sharp growth, up 4.3x year over year.

#AsyncRAT and #Remcos followed with ~16K detections each, while #Quasar and #Vidar entered the top list, signaling renewed RAT and stealer diversification.

📈 Learn more in our 2025 threat landscape report: https://any.run/cybersecurity-blog/malware-trends-2025/?utm_source=mastodon&utm_medium=post&utm_campaign=malware_trends_25&utm_term=270126&utm_content=linktoblog

#cybersecurity #infosec

Top 10 last week's threats by uploads 🌐
⬆️ #Xworm 861 (712)
⬆️ #Asyncrat 360 (337)
⬆️ #Stealc 311 (307)
⬆️ #Vidar 309 (266)
⬆️ #Remcos 278 (248)
⬆️ #Quasar 233 (209)
⬇️ #Gh0st 192 (218)
⬆️ #Lumma 187 (140)
⬆️ #Agenttesla 157 (135)
⬆️ #Reverseloader 143 (111)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=260126&utm_content=linktoregister#register

#cybersecurity #infosec

Top 10 last week's threats by uploads 🌐
⬆️ #Xworm 712 (563)
⬆️ #Asyncrat 339 (333)
⬆️ #Stealc 307 (216)
⬆️ #Vidar 266 (204)
⬆️ #Remcos 249 (169)
⬆️ #Salatstealer 227 (209)
⬇️ #Gh0st 218 (241)
⬇️ #Quasar 209 (211)
⬆️ #Lumma 140 (138)
⬆️ #Agenttesla 139 (100)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=190126&utm_content=linktoregister#register

#cybersecurity #infosec

⚠️ In Q4 2025, #XWorm surged 174%, fueled by its flexibility across manufacturing and healthcare

#AsyncRAT and #Quasar followed with 46% and 27% growth, showing open-source RATs outpacing commercial stealers

📈 Learn more in our threat landscape report: https://any.run/cybersecurity-blog/malware-trends-report-q4-2025/?utm_source=mastodon&utm_medium=post&utm_campaign=malware_trends_report_q4_2025&utm_term=130126&utm_content=linktoblog

#cybersecurity #infosec

Top 10 last week's threats by uploads 🌐
⬆️ #Xworm 563 (350)
⬆️ #Asyncrat 335 (176)
⬆️ #Warzone 289 (35)
⬆️ #Gh0st 241 (14)
⬆️ #Stealc 216 (180)
⬆️ #Quasar 211 (159)
⬆️ #Vidar 204 (184)
⬆️ #Remcos 169 (40)
⬇️ #Lumma 139 (167)
⬆️ #Reverseloader 108 (21)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=120126&utm_content=linktoregister#register

#cybersecurity #infosec

#xworm SHA256: bb41613221de320e4ee04ca28405c3fd7b891f2a7879646a27868f0f83379907 C2: https://pastebin[.]com/raw/NDJVLMQu,eyadking[.]linkpc[.]net:7000

🚨 #XWorm is up +174% in Q4 25, while #Storm1747 increased its activity by 51%.

Explore major threats, TTPs, and APTs in our latest threat landscape report powered by data from 15K SOCs.

Use this intelligence now to prevent incidents later 👇
https://any.run/cybersecurity-blog/malware-trends-report-q4-2025/?utm_source=mastodon&utm_medium=post&utm_campaign=malware_trends_report_q4_2025&utm_term=070126&utm_content=linktoblog

#cybersecurity #infosec

#xworm SHA256: 25d38ad0b5f2afcd845e1af5627c2b4b365c5f1516d7f7d87c4e13bf1482c5ba C2: 77[.]105[.]161[.]6:1254