{
	"id": "c96739a0-a494-4014-851f-0906062a4e25",
	"created_at": "2026-04-06T00:13:29.693647Z",
	"updated_at": "2026-04-10T03:20:17.061462Z",
	"deleted_at": null,
	"sha1_hash": "5f4e049f5c90babd7e1fcde41ee16ca49dcb99cf",
	"title": "Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4298452,
	"plain_text": "Uncovering Threat Actor Tactics: How Open Directories Provide\r\nInsight into XWorm Delivery Strategies\r\nPublished: 2024-11-28 · Archived: 2026-04-05 15:03:33 UTC\r\nTABLE OF CONTENTS\r\nFinding XWorm in the Wild With HuntExposing XWorm's DisguisesConclusionNetwork Observables\r\nOpen directories, often left exposed due to poor operational security, have become a valuable source of\r\nintelligence on threat actor behavior. Recently, XWorm, a well-reported remote access trojan (RAT), has been\r\nidentified in these directories-disguised as common software like web browsers, security tools, and file transfer\r\napps, aiming to trick unsuspecting users.\r\nIn this blog post, we will:\r\nExamine Open Directories as Intelligence Sources: Analyze how threat actors misuse open directories to\r\ndeliver XWorm, providing valuable insights into their targeting and operational behavior.\r\nUncover Malware Disguises and Tactics: Detail how XWorm is disguised as popular software, exposing\r\nthe deceptive techniques used to trick potential victims.\r\nFinding XWorm in the Wild With Hunt\r\nAttackCapture™ in Hunt offers a comprehensive list of open directories, paired with a versatile tagging system\r\nthat simplifies determining whether a server is malicious. Users can filter across 50+ tags, spanning malware\r\nfamilies like XWorm, MITRE ATT\u0026CK techniques, and even legitimate tools abused by threat actors. These\r\ntags are derived from dynamic analysis performed using Hatching Triage, providing high-confidence\r\ncategorization based on observed behaviors and attributes of the files.\r\nIn this post, we'll utilize the XWorm tag to identify new and historical RAT instances hosted in open directories.\r\nThis approach helps paint a clearer picture of the distribution strategies used over time, providing valuable insight\r\ninto attacker behavior.\r\nhttps://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies\r\nPage 1 of 9\n\nFigure 1: \"XWorm\" tag search results in AttackCapture™ (Hunt).\r\nThese search results serve as a starting point for further analysis. Each entry can yield meaningful intelligence-identifying recurring infrastructure, correlating shared file names, or tracking shifts in adversary tactics.\r\nNext, we'll examine specific examples of how XWorm is delivered through open directories. These recent findings\r\nprovide a snapshot of attacker tactics, showing how XWorm is disguised as popular software to deceive users\r\nseeking legitimate downloads.\r\nExposing XWorm's Disguises\r\nCase Example: 103.230.121[.]82 - SecurityHealthService.exe\r\nOur first server, 103.230.121[.]82 , hosted in Thailand on the Bangmod Enterprise Co., Ltd. network,\r\ncontained only a single file: SecurityHealthService.exe .\r\nhttps://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies\r\nPage 2 of 9\n\nFigure 2: Directory contents of 103.230.121[.]82 (Hunt).\r\nNamed after a legitimate Windows component used to manage system health settings, such as antivirus and\r\nfirewall status, the file was likely intended to blend in with typical operating system software and avoid suspicion.\r\nReviewing the IP address overview revealed that this server shared SSH keys (Fingerprint:\r\n4b135301d2bcef2a32ae5f3e035b7df1e76d4b288f7cda69784d95ee860e3ad7) with over 100 other servers, many\r\nof which were on the same ASN. While this does not necessarily indicate that all these IPs are malicious, it\r\nrepresents an interesting pattern that warrants further investigation.\r\nhttps://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies\r\nPage 3 of 9\n\nFigure 3: Associations page showing servers sharing the same SSH key (Hunt).\r\nCase Example: 158.247.200[.]45:80 \u0026:443 - chrome.exe\r\nHosted in South Korea and part of The Constant Company, LLC network, 158.247.200[.]45 reveals signs that\r\nthe actor may still be in a testing phase. This assumption is primarily based on file names in the directory, such as\r\ntest.exe and test2.bat, which suggest ongoing experimentation.\r\nhttps://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies\r\nPage 4 of 9\n\nFigure 4: Screenshot of files on 158.247.200[.]45 (Hunt).\r\nThe directory also contains chrome.exe and chrome.bat, which are likely intended to mimic the Google Chrome\r\nbrowser. Further analysis of chrome.exe in VirusTotal shows that the file has also been uploaded as svchost.exe,\r\nanother well-known Windows process often used to blend in.\r\nhttps://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies\r\nPage 5 of 9\n\nFigure 5: Snippet of VirusTotal Details showing the different filenames for the XWorm sample (VirusTotal).\r\nMany files discovered through AttackCapture™ can be inspected directly without downloading. For example,\r\nchrome.bat, shown in Figure 6, appears designed to disable Windows Defender-likely in preparation for\r\nexecuting chrome.exe. Notably, the script contains comments in the Korean language, offering further evidence\r\nof the possible origin of the threat actor.\r\nhttps://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies\r\nPage 6 of 9\n\nFigure 6: Contents of chrome.bat, including Korean language comments.\r\nCase Example: 216.173.64[.]63:4646 - pdf.bat\r\nWhile AttackCapture™ includes over 300 XWorm samples available for download, we've chosen to focus on a\r\nselect few that provide unique insights into attacker behavior. Users are encouraged to explore the entire collection\r\nin Hunt for a deeper dive.\r\nNotable filenames among the samples include uidiscord.exe, JavaX-Helper.exe, and Updater.exe, each\r\nreflecting a common theme of disguising malicious payloads as trusted software.\r\nThe final server of interest, 216.173.64[.]63 , is hosted by Evoxt Enterprise in the United States. This IP recently\r\ndrew the attention of researcher Karol Paciorek, who reported its involvement in a scam promoting fake gift\r\ncards. Upon closer inspection, these gift cards were merely shortcuts that downloaded a batch script concealing\r\nXWorm.\r\nThe malware then leveraged the compromised system to exfiltrate data directly to a Telegram account.\r\nhttps://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies\r\nPage 7 of 9\n\nFigure 7: Snippet of the pdf.bat file from the XWorm associated open directory (Hunt).\r\nConclusion\r\nWhile this post focused on XWorm, examining open directories provides broader insights into how attackers stage\r\nand distribute malware. These directories, often unintentionally exposed, reveal the tactics used to disguise\r\nmalicious files as legitimate software to deceive users. Understanding these tactics helps defenders to better\r\ndetect, mitigate, and respond to such threats.\r\nDefense Recommendations:\r\nMonitor for External Open Directories: Use internet intelligence tools to monitor for open directories\r\nthat might host malicious files targeting your organization or its supply chain.\r\nFile Reputation and Whitelisting: Employ reputation services like VirusTotal and implement application\r\nallowlisting to prevent unverified or suspicious executables from running.\r\nhttps://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies\r\nPage 8 of 9\n\nStrengthen Endpoint Defense: Ensure Endpoint Detection and Response (EDR) solutions are in place and\r\ntuned to detect typical behaviors of malicious scripts, such as disabling security features or using\r\nmisleading filenames.\r\nNetwork Observables\r\nIP Address\r\nHosting\r\nCountry\r\nASN XWorm Filename Notes\r\n158.247.200[.]45:443 KR\r\nThe\r\nConstant\r\nCompany,\r\nLLC\r\nchrome.exe\r\nLikely meant to dupe\r\nusers looking to\r\ndownload the Google\r\nChrome browser.\r\n216.173.64[.]63:4646 CN\r\nEvoxt\r\nEnterprise\r\nUS\r\nPart of a previous\r\nphishing campaign\r\ndelivering gift cards\r\nwhich in reality were\r\nXWorm.\r\n103.230.121[.]82 TH\r\nBangmod\r\nEnterprise\r\nCo., Ltd.\r\nSecurityHealthService.exe\r\nSpoofs the legit\r\nWindows process\r\nresponsible for handling\r\nnotifications about the\r\nsecurity health of a\r\nsystem.\r\nSource: https://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies\r\nhttps://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies"
	],
	"report_names": [
		"uncovering-threat-actor-tactics-xworm-delivery-strategies"
	],
	"threat_actors": [],
	"ts_created_at": 1775434409,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f4e049f5c90babd7e1fcde41ee16ca49dcb99cf.pdf",
		"text": "https://archive.orkl.eu/5f4e049f5c90babd7e1fcde41ee16ca49dcb99cf.txt",
		"img": "https://archive.orkl.eu/5f4e049f5c90babd7e1fcde41ee16ca49dcb99cf.jpg"
	}
}