XWorm

XWorm is a .NET remote access trojan sold as Malware-as-a-Service since 2022, developed by an author known as "XCoder". It went through rapid iteration from v2 through v5.6 before the developer abandoned the project in late 2024. Cracked copies of v5.6 flooded underground channels, and a critical RCE flaw was found that let anyone with the encryption key run code on the operator's own server. A v6.0 release appeared in June 2025, described as "fully re-coded" with the RCE patched. Cracked copies of v6 followed within weeks.

The C2 protocol uses raw TCP with AES-ECB encryption, where the key is derived from the MD5 hash of a configurable mutex string. Commands and parameters are separated by a distinctive delimiter. The protocol is stateless -- the server doesn't track client state between messages. Plugins are delivered as .NET DLLs identified by SHA-256 hash, loaded directly into memory via reflection.

XWorm's capabilities go well beyond typical RAT functionality. It includes keylogging, screen and webcam capture, credential theft from 35+ browsers and applications, a clipboard crypto address replacer, USB spreading, DDoS attacks, and a ransomware module with code overlap from NoCry. The plugin architecture supports 50+ extensions in the latest versions. It can mark itself as a Windows critical process, causing a blue screen if an analyst tries to kill it.

Delivery relies on phishing with business-themed lures (invoices, shipping docs, banking receipts), ClickFix fake CAPTCHA pages, and a wide mix of file formats including Office exploits, LNK files, VHD containers, and steganography with payloads hidden in images on legitimate hosting. XWorm is part of a broader .NET commodity RAT ecosystem -- Neptune RAT is a proven code derivative sharing the same encryption routine, and it's regularly co-deployed with AsyncRAT, Quasar, and VenomRAT through shared crypter services.