XWorm v7 RAT: Technical Analysis of Infection Chain, C2 Protocol, and Plugin Architecture

BLOG FEBRUARY 11, 2026 Threat Research XWORM V7 RAT: TECHNICAL ANALYSIS OF INFECTION CHAIN, C2 PROTOCOL, AND PLUGIN ARCHITECTURE IN THIS ARTICLE Introduction XWorm v7 Infection Chain Overview Stage 1: Phishing-Based Initial Access Stage 2: JavaScript Loader and Persistence Stage 3: In-Memory Payload Loading via PowerShell Stage 4: RAT Initialization and C2 Communication Technical Analysis Configuration and Encryption Mutex Creation Keylogging Capability User Activity Monitoring System Profiling and Reconnaissance Command-and-Control (C2) Instruction Set Connection and Session Management Persistence, Update, and Removal Payload Delivery and Execution Plugin Architecture MITRE ATT&CK Mapping Indicators of Compromise (IOCs) File Hashes (SHA-256) URLs C2 IP Address How Gurucul Helps Protect Customers Against XWorm Behavioral Detection and UEBA Advanced Threat Detection and MITRE Alignment Detection of Living-off-the-Land Abuse C2 Communication and Anomaly Detection Risk-Based Alerting and Investigation Conclusion Introduction XWorm is a feature-rich Remote Access Trojan (RAT) that has been actively used by cybercriminals since at least 2022. Widely distributed through underground forums and malware-as-a-service ecosystems, XWorm remains popular due to its ease of use, modular design, and extensive post-compromise capabilities. It supports credential theft, keylogging, webcam access, surveillance, DDoS operations, and even ransomware deployment through plugins. This blog presents a technical analysis of an XWorm v7 campaign observed in the wild. The analysis covers the full infection lifecycle—from phishing-based initial access to in-memory execution, command-and-control (C2) communication, and the modular plugin framework—highlighting the techniques used to evade detection and maintain persistent access. XWorm v7 Infection Chain Overview The XWorm v7 infection chain is a multi-stage process that minimizes on-disk artifacts by creating a legitimate Windows process in a suspended state and performing process hollowing to inject and execute the XWorm payload in memory.   Stage 1: Phishing-Based Initial Access The attack begins with a phishing email crafted to appear as a legitimate payment confirmation. The email prompts the recipient to verify order and shipping details, enticing them to open the attached ZIP archive named Swift_4200_19_01_2026.xxe. Once extracted, the archive contains a malicious JavaScript file that serves as the initial loader. Fig 2: Phishing email with malicious zip   After extraction, the ZIP file exposes a malicious JavaScript file that functions as a loader when executed.   Stage 2: JavaScript Loader and Persistence The extracted JavaScript file (Swift_4200_19_01_2026.js) establishes persistence by copying itself into the current user’s Windows Startup directory ( %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup ). This ensures execution on every user logon. Fig 3: Achieving Persistence via Startup   The script dynamically constructs an obfuscated PowerShell command using string manipulation and Base64 decoding to evade static detection. PowerShell is launched with -NoProfile and -WindowStyle Hidden options and is executed via Windows Management Instrumentation (WMI), resulting in powershell.exe running as a child of WmiPrvSE.exe. This parent-child relationship is a deliberate defense-evasion technique aimed at reducing user visibility and bypassing basic behavioral monitoring. A short execution delay is introduced to further evade sandbox-based analysis. The decoded PowerShell payload is reconstructed entirely in memory and used to download the next-stage components. Stage 3: In-Memory Payload Loading via PowerShell The PowerShell script downloads two external resources from attacker-controlled infrastructure: 1. Decoy JPEG File A file named optimized_MSI_lpsd9p.jpg is retrieved from a public image-hosting service. This is not traditional steganography; instead, a Base64-encoded DLL payload is appended to the end of the JPEG file. The embedded data is delimited by custom markers: BaseStart- and -BaseEnd. Fig 4: In-Memory PowerShell Execution   2. Encoded Payload Configuration A text file (us.txt) is downloaded from a secondary URL. This file contains the Base64-encoded XWorm payload along with execution configuration data. The URL itself is also Base64-encoded within the PowerShell script. Fig 5: Decoded Payload URL and Configuration   After decoding, the configuration instructs the loader to download the payload, save it to C:\\Users\\Public\\Downloads\\ under a dynamically generated filename, and prepare it for execution. To avoid writing a traditional executable to disk, the DLL injects the XWorm payload into a newly spawned MSBuild.exe process using process hollowing.Since MSBuild.exe is a legitimate and trusted Windows binary, this technique enables the malware to execute filelessly while evading detection. Stage 4: RAT Initialization and C2 Communication Following successful execution, XWorm initializes its core components, extracts its configuration data, and establishes an encrypted TCP connection to its command-and-control (C2) server. At this stage, the RAT begins system profiling, surveillance, and awaits operator instructions. Technical Analysis Configuration and Encryption During startup, XWorm extracts its embedded configuration, which includes the malware version, C2 address, port number, and a shared secret key (SETTINGS.KEY). All C2 communication occurs over TCP and is encrypted using AES in ECB mode. The encryption key is generated at runtime by computing the MD5 hash of SETTINGS.KEY. While AES-ECB is cryptographically weak due to its lack of an initialization vector and pattern leakage, it is sufficient to evade casual inspection and basic signature-based network monitoring. Fig 6: Configuration File with Version, C2, Port, and Key Details   Mutex Creation To ensure only a single instance runs on the victim system, XWorm creates a mutex named Ah95HVwxbUtq56pf. If the mutex already exists, execution is aborted. Fig 7: Mutex creation   Keylogging Capability  XWorm installs a low-level keyboard hook using WH_KEYBOARD_LL, enabling it to capture keystrokes across all active applications. This allows the malware to harvest sensitive information such as usernames, passwords, and other typed data, which is cached locally for later exfiltration. Fig 8: Keylogging using WH_KEYBOARD_LL hook   User Activity Monitoring  The `LastAct()` function runs as an infinite background routine within XWorm RAT. The malware continuously monitors user activity through an internal routine that tracks keyboard and mouse idle time at one-second intervals. This enables the operator to determine when the system is active or idle, potentially allowing malicious actions to be timed to reduce the risk of user detection. Fig 9: Monitoring Last active time   System Profiling and Reconnaissance XWorm gathers extensive host information during its initial reconnaissance phase, including: File drop timestamp Administrative privilege status Webcam availability CPU, GPU, and total RAM details (via WMI) Installed antivirus products This intelligence allows the operator to assess the victim’s security posture and tailor follow-on actions accordingly. Fig 10: Collecting victims information   Command-and-Control (C2) Instruction Set XWorm exposes a comprehensive command set that enables full remote control of compromised systems. Key command categories include: Connection and Session Management pong– Maintain connectivity and measure latency CLOSE– Terminate the client rec– Restart the malware after releasing its mutex Persistence, Update, and Removal uninstall– Remove XWorm from the system update– Replace the current client with a newer version Payload Delivery and Execution DW– Write and execute a payload on disk FM– Execute payloads directly from memory LN– Download and execute a payload from a remote URL plugin/ savePlugin – Retrieve and load modular plugins RemovePlugins– Delete all stored plugins Fig 11: C2 instruction set   System Control PCShutdown, PCRestart, PCLogoff– System power actions RunShell– Execute arbitrary shell commands silently   Fig 12: C2 instruction set   Surveillance and Data Exfiltration StartReport/ StopReport – Control background monitoring OfflineGet– Exfiltrate cached keylogging data $Cap– Capture and transmit screen thumbnails Xchat– Interactive chat with the operator Fig 13: Sending victims logs to C2   DDoS Capabilities StartDDos/ StopDDos – Control DDoS activity Fig 14: C2 instruction set   Plugin Architecture XWorm’s functionality is heavily extended through a modular plugin framework. When the C2 issues a plugin command, it includes the SHA-256 hash of the required plugin DLL. The client checks whether the plugin is already present; if not, it requests the plugin using a sendplugin command. Upon receipt, the plugin is decoded and loaded directly into memory. XWorm then uses reflection to invoke specific exported methods, including: Run RunRecovery RunOptions injRun UACFunc ENC/ DEC This reflective loading mechanism allows operators to rapidly extend capabilities without redeploying the core malware, significantly complicating detection and remediation. Observed plugins include: ProcessManager.dll– Process enumeration RemoteDesktop.dll– Interactive remote access WindowsUpdate.dll– Browser credential and Windows product key theft Programs.dll– Installed application enumeration ServiceManager.dll– Service enumeration The extracted data is concatenated into a string and sent to the C2 server along with Client ID. Client ID is generated using ProcessorCount, UserName, MachineName and OSVersion. Fig 15: Generating Victims unique ID   Once the XWorm client successfully connects to the C2 server, all further communication is handled through a command-based protocol over TCP.  The C2 server sends specific commands to the infected client, and the client responds using the same TCP channel. To protect this communication, XWorm encrypts transmitted commands using the AES encryption algorithm in ECB mode.  The encryption key is not hardcoded; instead, it is generated at runtime by computing the MD5 hash of the “SETTINGS.KEY” value extracted from the configuration data. However, the use of AES in ECB mode is weak from a cryptographic perspective, as it does not use an initialization vector and can reveal data patterns. Despite this weakness, the encryption is sufficient to evade basic signature-based network monitoring and casual inspection. Fig 16:Encrypted TCP traffic between XWorm client and C2 server   MITRE ATT&CK Mapping Tactic Technique ID Technique Name Observed Activity Initial Access T1566.001 Phishing: Attachment Phishing email delivers a malicious ZIP file containing a JS (loader) Execution T1059.007 Command and Scripting Interpreter: JavaScript Malicious JavaScript file used as the initial loader Execution T1059.001 Command and Scripting Interpreter: PowerShell Obfuscated PowerShell executed in memory using ‘-NoProfile’ and hidden window Execution T1047 Windows Management Instrumentation PowerShell launched via WMI (‘WmiPrvSE.exe’) Persistence T1547.001 Boot or Logon Autostart: Registry Run Keys / Startup Folder JS file copied to Windows Startup folder Defense Evasion T1027 Obfuscated Files or Information PowerShell command built using string manipulation and Base64 decoding Defense Evasion T1055.012 Process Injection: Process Hollowing Payload injected into a suspended msbuild.exe process and executed after memory replacement Defense Evasion T1070 Indicator Removal Payload executed without dropping a standard executable Credential Access T1056.001 Input Capture: Keylogging Low-level keyboard hook (‘WH_KEYBOARD_LL’) used for keystroke logging Discovery T1082 System Information Discovery OS version, RAM, CPU, GPU, admin rights collected Discovery T1518.001 Software Discovery: Security Software Antivirus products enumerated via WMI Discovery T1124 System Time Discovery User activity and idle time monitored Collection T1113 Screen Capture Screenshot and thumbnail capture via ‘$Cap’ command Command and Control T1071 Application Layer Protocol C2 communication over TCP Command and Control T1573 Encrypted Channel C2 traffic encrypted using hash of ‘Settings.KEY’ Command and Control T1105 Ingress Tool Transfer Plugins and payloads downloaded from C2 Impact T1499 Endpoint Denial of Service DDoS commands supported (‘StartDDos’, ‘StopDDos’) Impact T1529 System Shutdown/Reboot System shutdown, restart, and logoff commands Indicators of Compromise (IOCs) File Hashes (SHA-256) IOC FileName de7d74d374a4422c5084280ff71f7942d61f35c271df7d5af01bdd756d0f630b Swift _4200_19_01_2026.js 3f4c3c16f63fb90d1fd64b031d8a9803035f3cb18332e198850896881fb42fe5 optimized_MSI_lpsd9p.jpg c3bfedae725f159691c203d1f0cdbb9a5cf42777e3d681f923e83e1d1bc74c0f us.txt 4140d26ecad2fd8a3ea326ee49f5dd8bda3696e0d1ae6e756db6d61d70bf3af4 Microsoft.Win32.TaskScheduler.dll eacd8e95ead3ffe2c225768ef6f85672c4bfdf61655ed697b97f598203ef2cf6 XWormClient.exe URLs URL’s hxxps://res[.]cloudinary[.]com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg hxxps://pub-3bc1de741f8149f49bdbafa703067f24[.]r2[.]dev/us.txt C2 IP Address C2 Server 158[.]94[.]209[.]180 How Gurucul Helps Protect Customers Against XWorm Gurucul’s Unified Security and Risk Analytics platform provides multiple layers of detection and response capabilities that are well-aligned to the techniques leveraged by XWorm v7. By combining behavior-based analytics, UEBA, and advanced threat detection, Gurucul enables security teams to identify early-stage intrusion activity and post-compromise behaviors through correlated endpoint, identity, and network analytics that traditional signature-based controls often miss. Behavioral Detection and UEBA XWorm relies heavily on abnormal process relationships, user behavior anomalies, and misuse of legitimate system utilities. Gurucul UEBA continuously baselines normal user and host behavior and can detect: Abnormal parent-child process chains such as WmiPrvSE.exe spawning PowerShell or MSBuild Unusual use of scripting engines (JavaScript and PowerShell) by non-administrative users Suspicious persistence mechanisms involving Startup folders Deviations in user activity patterns, including unexpected background activity during idle periods These behaviors generate risk signals that are aggregated into a contextual risk score, allowing analysts to prioritize investigation of high-risk entities. Advanced Threat Detection and MITRE Alignment Gurucul threat models aligned with the MITRE ATT&CK framework can directly map XWorm techniques such as Phishing Attachment (T1566.001), Signed Binary Proxy Execution (T1218.005), Keylogging (T1056.001), and Encrypted C2 Channels (T1573). This alignment enables security teams to quickly understand attacker intent and identify gaps across the attack lifecycle. Detection of Living-off-the-Land Abuse XWorm’s abuse of trusted Windows binaries such as PowerShell, WMI, and MSBuild is a classic living-off-the-land (LOLBins) technique. Gurucul correlates command-line telemetry, process execution context, and network behavior to detect misuse of these binaries, even when no malicious executable is dropped on disk. C2 Communication and Anomaly Detection Even though XWorm encrypts its C2 traffic, Gurucul can identify suspicious outbound connections through: Detection of rare or first-seen external destinations Abnormal long-lived TCP sessions from endpoints Encrypted traffic patterns inconsistent with legitimate applications These signals help surface covert C2 channels that evade traditional network security tools. Risk-Based Alerting and Investigation Rather than generating isolated alerts, Gurucul aggregates multiple weak signals—process anomalies, persistence behaviors, credential access activity, and data exfiltration—into a single risk-based alert. This reduces alert fatigue and provides analysts with clear, actionable context for rapid investigation and response. By leveraging behavior-driven analytics and continuous risk scoring, Gurucul enables customers to detect, investigate, and respond to sophisticated RAT activity such as XWorm v7 early in the attack chain, significantly reducing dwell time and potential impact. Conclusion XWorm v7 demonstrates how modern commodity RATs continue to evolve by combining social engineering, living-off-the-land binaries, fileless execution, and modular plugin-based architectures. Despite relying on relatively simple cryptography, its operational tradecraft is sufficient to evade many traditional defenses. Defenders should closely monitor anomalous parent-child process relationships (such as WMI-spawned PowerShell), abuse of MSBuild, and network connections originating from trusted Windows utilities. The continued prevalence of XWorm underscores the importance of layered detection strategies that go beyond signature-based controls. Contributors:   Pandurang Terkar Rudra Pratap