First discovered in 2022, XWorm malware is a remote access trojan (RAT) capable of evading detection and collecting sensitive information, including financial details, browsing history, saved passwords, and cryptocurrency wallet data.
XWorm tracks keystrokes, captures webcam images, listens to audio input, scans network connections, and views open windows. It can also access and manipulate a computer’s clipboard, potentially stealing cryptocurrency wallet credentials. Last year, XWorm was involved in many cyberattacks, including the exploitation of CloudFlare tunnels and the delivery via a Windows script file, and the upward trend of these sophisticated RATs is already evident in 2025.
Last month, researchers discovered threat actors targeted script kiddies with a trojanized version of the XWorm RAT builder. The weaponized malware propagated through GitHub, Telegram, and file-sharing platforms to infect over 18,000 devices globally, including the United States.
The malware secretly compromised computers to deploy a backdoor to perform system reconnaissance, command execution, and data exfiltration, such as browser credentials, Discord tokens, Telegram data, and system information. Threat actors have exfiltrated over 1 GB of browser credentials from multiple computers. The malware’s “kill switch” feature was identified and leveraged to disrupt operations on infected computers.  In the past month, the NJCCIC’s email security solution identified an uptick in multiple campaigns attempting to deliver XWorm malware to New Jersey State employees to gain remote access, steal credentials, exfiltrate data, and deploy ransomware.
The messages impersonate Booking.com or a customer of a hospitality organization with themes of last-minute bookings to address customer complaints, inquiries about upcoming travel plans, or issues related to past travel reservations. They display subject lines containing keywords such as reservation, booking cancellation, request for action, poor evaluation, hotel accommodation, and establishment difficulty.
The messages contain various types of URLs, such as email trackers, URL shorteners, and open redirects. There are multiple redirects and filtering techniques before arriving at one of the numerous landing pages with various layouts and scripting. The URLs for the landing pages contain keywords such as book, booking, complaint, feedback, inquiry, reportguest, and stayissueguest.
The threat actors use the ClickFix technique to display dialogue boxes containing fake error messages to manipulate targets to follow instructions to “fix” the problem. Sometimes, they leverage the appearance of authenticity by using a fake CAPTCHA-themed ClickFix technique to validate the target. However, the target’s clicking copies, pastes, or executes malicious payloads or scripts in the background. The payloads use PowerShell or MSHTA commands to download and execute XWorm malware.
Recommendations
Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.
Exercise caution with communications from known senders. Confirm requests from senders via contact information obtained from verified and official sources.
Type official website URLs into browsers manually and only submit account credentials or sensitive information on official websites.
Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.
Reduce your digital footprint so threat actors cannot easily target you. Keep systems up to date and apply patches after appropriate testing.
|
