Xworm 3.1 [TESTED]

: It can harvest browser data (passwords, cookies, credit card info), session tokens from apps like Discord or Telegram, and cryptocurrency wallet details. Surveillance

XWorm 3.1 includes multiple features to detect and evade analysis environments:

XWorm's reach is substantial. In 2025 alone, the malware was linked to attacks on over 18,000 devices worldwide. Its campaigns have targeted organizations across multiple sectors, including healthcare, finance, manufacturing, and government.

XWorm 3.1 rarely arrives as a standalone attack. Threat actors routinely leverage complex, multi-stage loaders and stagers to evade initial perimeter controls. Malicious PDF delivering Xworm 3.1 payload - SonicWall

: The malware may also place copies of itself in the Startup folder. xworm 3.1

The XWorm builder produces a PHP/MySQL-based control panel. Features include:

The strength of XWorm 3.1 lies in its modularity and extensive toolkit, which allows for a wide range of malicious operations:

XWorm 3.1 employs AES-ECB encryption to protect communication between infected clients and its C2 server. The malware's configuration—including C2 host, port number, encryption key, data separator, and executable name—is stored in an encrypted class within the client binary. The encryption key is derived from an MD5 hash of a 16-character Mutex, which is then used to create a 32-byte AES key.

, making it adaptable and easy to modularize with over 35 available plugins. Infection Chain: : It can harvest browser data (passwords, cookies,

Beyond its plugin architecture, XWorm 3.1 includes a suite of built-in capabilities that make it a true all-in-one RAT. The malware can:

PowerShell scripts, VBS files, JavaScript, batch scripts, .hta files, .lnk shortcuts, .iso and .vhd disk images, .img files, ZIP archives, and Office macros. This variety forces security teams to defend against a broad spectrum of potential entry points, rather than focusing on a single file type.

: XWorm 3.1 includes a native encryption algorithm capable of locking user files and dropping a customizable ransom note.

The malware operates on a Malware-as-a-Service (MaaS) model, where the original developers rent out the RAT and its associated infrastructure to other criminals on dark web forums. This distribution model has dramatically lowered the barrier to entry for aspiring cybercriminals, contributing to XWorm's widespread adoption. Following a code leak, the threat has become even more accessible, with various cracked versions circulating on platforms like GitHub. Malicious PDF delivering Xworm 3

Attackers can view the victim's screen and control the mouse and keyboard in real-time.

Attackers send fraudulent emails, often themed around invoices, shipping information, or urgent business requests.

The code is scrambled to make it unreadable to simple scanners.