The information stealer module has been overhauled to target modern applications:
Upon detection, it swaps the victim’s address with the attacker’s address instantly.
Version 3.1 is known for its "effective simplicity" and broad feature set: xworm v31 updated
XWorm v3.1 is rarely delivered via zero-click exploits. Instead, attackers rely on social engineering. The most common vectors in Q2 2025 include:
Furthermore, source code leaks of previous versions have led to dozens of forks, including (focused on banking trojans) and XWorm-Dark (ransomware delivery system). The information stealer module has been overhauled to
While not new to RATs, v31 updates its targeting list. It now monitors the clipboard for regex patterns matching:
The represents a significant refinement of its predecessor, focusing on: The most common vectors in Q2 2025 include:
Beyond just spying, the latest XWorm variant includes modules that allow it to encrypt files on the infected machine, making it a hybrid threat that combines spyware with extortion. 5. DDoS and Further Exploitation
First, disconnect the infected machine from the network to prevent the malware from spreading to other systems or communicating with its C2 server. This step also prevents further data exfiltration.
As of early 2026, the threat landscape continues to evolve rapidly, with modular malware-as-a-service (MaaS) tools remaining a primary concern for cybersecurity professionals. Among these, has maintained its status as a top-tier Remote Access Trojan (RAT) due to frequent updates and a robust feature set. Recent analysis of the updated XWorm V31 (often seen in campaigns alongside version 7.2 components in 2026) demonstrates significant improvements in evasion, persistence, and data exfiltration techniques.
Deploy EDR solutions capable of detecting fileless malware and process injection techniques (process hollowing).