Xworm V31 Updated 📢

While older RATs relied on hardcoded C2 (Command & Control) IPs, v31 implements a time-based Domain Generation Algorithm.

If you suspect an infection, look for these specific IoCs related to v3.1. Note: These change rapidly, but the behavioral patterns remain.

File Hashes (Sample SHA256 from live analysis): xworm v31 updated

Registry Keys:

Network Artifacts:

Process Anomalies:

Executive Summary XWorm is a Malware-as-a-Service (MaaS) tool widely advertised on underground forums. While earlier versions were notorious for their aggressive spread via USB infections, version 3.1 marks a strategic pivot. The author, known online as "Builder" or "xWorm," has shifted focus away from self-propagation toward a stealthier, more stable, and feature-rich Remote Access Trojan (RAT) designed for data exfiltration and payload delivery. While older RATs relied on hardcoded C2 (Command

This version is primarily distributed via phishing campaigns and "malvertisement" links (e.g., fake download sites for CrackLink, MediaFire, or gaming cheats).

XWorm v3.1 now ships with an integrated, encrypted payload stager dubbed "Crypsi" . The initial dropper contains zero malicious strings. It downloads the main payload via legitimate-looking HTTPS requests to Google Drive, Discord CDN, or even GitHub Gists. Crypsi dynamically decrypts the payload using AES-256 with a key derived from the victim’s MachineGUID, creating a unique binary per infection. Registry Keys: