{"id":1684,"date":"2026-03-04T10:06:03","date_gmt":"2026-03-04T10:06:03","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/"},"modified":"2026-03-04T10:06:03","modified_gmt":"2026-03-04T10:06:03","slug":"want-more-xworm-wed-mar-4th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/","title":{"rendered":"Want More XWorm?, (Wed, Mar 4th)"},"content":{"rendered":"
\n

And another XWorm[1<\/a>] wave in the wild!\u00a0This\u00a0malware family\u00a0is not new and heavily spread\u00a0but delivery techniques always evolve and deserve to be described to show you how threat actors can be imaginative! This time, we are facing another piece of multi-technology malware.<\/p>\n

Here is a quick overview:<\/p>\n

\"\"<\/p>\n

The Javascript is a classic obfuscated one:<\/p>\n

\"\"<\/p>\n

No need to try to analyze it, just let it run in a sandbox\u00a0and see its magic. It will drop a PowerShell script in a temporary directory (\u201cC:Tempps_5uGUQcco8t5W_1772542824586.ps1\u201d).<\/i> This loader will decode (Base64 + XOR) another\u00a0payload that invokes another piece of PowerShell in memory:<\/p>\n

\"\"<\/p>\n

Because the last payload is XOR-encrypted, it is not obfuscated and easy to understand. The DLL exports a function called \u201cProcessHollowing\u201d (nice name, btw) and acts as a loader. It inject the XWorm client in the .Net compiler process\u2026<\/p>\n

Here is the extracted config:<\/p>\n

\n{\n    \"c2\": [\n        \"204[.]10[.]160[.]190:7003\"\n    ],\n    \"attr\": {\n        \"install_file\": \"USB.exe\"\n    },\n    \"keys\": [\n        {\n            \"key\": \"aes_key\",\n            \"kind\": \"aes.plain\",\n            \"value\": \"XAorWEAzx4+ic89KWd910w==\"\n        }\n    ],\n    \"rule\": \"Xworm\",\n    \"mutex\": [\n        \"Cqu1F0NxohroKG5U\"\n    ],\n    \"family\": \"xworm\",\n    \"version\": \"XWorm V6.4\"\n}<\/pre>\n
Do you recognize the C2 IP address? It’s the same as the one detected in my latest\u00a0diary![2<\/a>]<\/p>\n
And some IOC’s:<\/p>\n\n\n\n\n\n\n\n\n
File<\/th>\nSHA256<\/th>\n<\/tr>\n<\/thead>\n
Inv-4091-CBM-4091-CUSTOM-Packing_List.js<\/td>\n5140b02a05b7e8e0c0afbb459e66de4d74f79665c1d83419235ff0cdcf046e9c<\/td>\n<\/tr>\n
ps_5uGUQcco8t5W_1772542824586.ps1<\/td>\n5a3d33efaaff4ef7b7d473901bd1eec76dcd9cf638213c7d1d3b9029e2aa99a4<\/td>\n<\/tr>\n
MAD.dll<\/td>\naf3919de04454af9ed2ffa7f34e4b600b3ce24168f745dba4c372eb8bcc22a21<\/td>\n<\/tr>\n
payload.exe (XWorm)<\/td>\n58e38fffb78964300522d89396f276ae0527def8495126ff036e57f0e8d3c33b<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
[1]\u00a0https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.xworm<\/a>
\n[2]\u00a0https:\/\/isc.sans.edu\/diary\/Fake%20Fedex%20Email%20Delivers%20Donuts!\/32754<\/a><\/p>\n
Xavier Mertens (@xme)
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
 (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
And another XWorm[1] wave in the wild!\u00a0This\u00a0malware family\u00a0is not new and heavily spread\u00a0but delivery techniques always evolve and deserve to be described to show you how threat actors can be imaginative! This time, we are facing another piece of multi-technology malware. Here is a quick overview: The Javascript is a classic obfuscated one: No need […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-1684","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\nWant More XWorm?, (Wed, Mar 4th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Want More XWorm?, (Wed, Mar 4th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"And another XWorm[1] wave in the wild!\u00a0This\u00a0malware family\u00a0is not new and heavily spread\u00a0but delivery techniques always evolve and deserve to be described to show you how threat actors can be imaginative! This time, we are facing another piece of multi-technology malware. Here is a quick overview: The Javascript is a classic obfuscated one: No need […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-04T10:06:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260304-1.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Want More XWorm?, (Wed, Mar 4th)\",\"datePublished\":\"2026-03-04T10:06:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/\"},\"wordCount\":308,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260304-1.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/\",\"name\":\"Want More XWorm?, (Wed, Mar 4th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260304-1.png\",\"datePublished\":\"2026-03-04T10:06:03+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260304-1.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260304-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Want More XWorm?, (Wed, Mar 4th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Want More XWorm?, (Wed, Mar 4th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/","og_locale":"en_US","og_type":"article","og_title":"Want More XWorm?, (Wed, Mar 4th) - Imperative Business Ventures Limited","og_description":"And another XWorm[1] wave in the wild!\u00a0This\u00a0malware family\u00a0is not new and heavily spread\u00a0but delivery techniques always evolve and deserve to be described to show you how threat actors can be imaginative! This time, we are facing another piece of multi-technology malware. Here is a quick overview: The Javascript is a classic obfuscated one: No need […]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-03-04T10:06:03+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260304-1.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Want More XWorm?, (Wed, Mar 4th)","datePublished":"2026-03-04T10:06:03+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/"},"wordCount":308,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260304-1.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/","name":"Want More XWorm?, (Wed, Mar 4th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260304-1.png","datePublished":"2026-03-04T10:06:03+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260304-1.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260304-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/04\/want-more-xworm-wed-mar-4th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Want More XWorm?, (Wed, Mar 4th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1684","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=1684"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1684\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=1684"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=1684"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=1684"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}