The URLhaus database, which tracks malware distribution URLs, has documented multiple instances of this file being used to serve XWorm malware. The file was reported to URLhaus on November 1, 2024, and remained online until takedown in January 2025—a period of over two months during which it was potentially available for download.
Malicious attachments (e.g., fake invoices disguised as PDFs or ISO images) containing the XWorm executable. XWorm-5.6-main.zip
The malware often attempts to detect virtual environments and can be configured to remain persistent on the host machine. Remote Command Execution: The malware often attempts to detect virtual environments
XWorm-5.6 records every keystroke, including passwords, usernames, and credit card numbers, which are then exfiltrated to the attacker. Technical Analysis of the Zip Archive
To defend against threats like XWorm, organizations should implement a defense-in-depth strategy:
Uses the victim's network infrastructure to route malicious traffic, hiding the attacker's true location. Technical Analysis of the Zip Archive