Xworm V31 Updated -

: Provides a virtual network computing interface for real-time visual control of the victim's screen. Keylogging

Injects its malicious payload into legitimate Windows processes (like svchost.exe or RegAsm.exe ) to hide in plain sight.

The majority of XWorm infections begin with phishing emails. Attackers craft emails disguised as payment detail requests, purchase orders requiring acknowledgment, signed bank documents, fake invoices, receipts, and package delivery notifications. These lures are tailored to specific industries and languages, demonstrating operational sophistication. xworm v31 updated

[ Compromised Host ] │ ▼ (Sends System Fingerprint via TCP) [ Command & Control Server (C2) ] │ ▼ (Validates Host and Pushes AES-Encrypted Plugins) [ In-Memory Assembly Loading ] ──► (Executes Keylogger, Stealer, or Ransomware)

: Identify outgoing traffic to known MaaS Command and Control (C2) infrastructures by monitoring for the specific hash-based identification sequences used by xWorm clients. Tinexta Defence : Provides a virtual network computing interface for

*Note: IOCs for MaaS

: This version was noted for including hardcoded cryptocurrency addresses. It monitors the victim's clipboard for crypto wallet strings and replaces them with the attacker's address to reroute transactions. Attackers craft emails disguised as payment detail requests,

Attackers send targeted emails, often disguised as financial documents, work requests, or invoice inquiries (e.g., "MFEQuotation Work request").