Uncovering Threat Actor Tactics: How Open Directories Provide
Insight into XWorm Delivery Strategies
Published: 2024-11-28 · Archived: 2026-04-05 15:03:33 UTC
TABLE OF CONTENTS
Finding XWorm in the Wild With HuntExposing XWorm's DisguisesConclusionNetwork Observables
Open directories, often left exposed due to poor operational security, have become a valuable source of
intelligence on threat actor behavior. Recently, XWorm, a well-reported remote access trojan (RAT), has been
identified in these directories-disguised as common software like web browsers, security tools, and file transfer
apps, aiming to trick unsuspecting users.
In this blog post, we will:
Examine Open Directories as Intelligence Sources: Analyze how threat actors misuse open directories to
deliver XWorm, providing valuable insights into their targeting and operational behavior.
Uncover Malware Disguises and Tactics: Detail how XWorm is disguised as popular software, exposing
the deceptive techniques used to trick potential victims.
Finding XWorm in the Wild With Hunt
AttackCapture™ in Hunt offers a comprehensive list of open directories, paired with a versatile tagging system
that simplifies determining whether a server is malicious. Users can filter across 50+ tags, spanning malware
families like XWorm, MITRE ATT&CK techniques, and even legitimate tools abused by threat actors. These
tags are derived from dynamic analysis performed using Hatching Triage, providing high-confidence
categorization based on observed behaviors and attributes of the files.
In this post, we'll utilize the XWorm tag to identify new and historical RAT instances hosted in open directories.
This approach helps paint a clearer picture of the distribution strategies used over time, providing valuable insight
into attacker behavior.
https://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies
Page 1 of 9

Figure 1: "XWorm" tag search results in AttackCapture™ (Hunt).
These search results serve as a starting point for further analysis. Each entry can yield meaningful intelligence-identifying recurring infrastructure, correlating shared file names, or tracking shifts in adversary tactics.
Next, we'll examine specific examples of how XWorm is delivered through open directories. These recent findings
provide a snapshot of attacker tactics, showing how XWorm is disguised as popular software to deceive users
seeking legitimate downloads.
Exposing XWorm's Disguises
Case Example: 103.230.121[.]82 - SecurityHealthService.exe
Our first server, 103.230.121[.]82 , hosted in Thailand on the Bangmod Enterprise Co., Ltd. network,
contained only a single file: SecurityHealthService.exe .
https://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies
Page 2 of 9

Figure 2: Directory contents of 103.230.121[.]82 (Hunt).
Named after a legitimate Windows component used to manage system health settings, such as antivirus and
firewall status, the file was likely intended to blend in with typical operating system software and avoid suspicion.
Reviewing the IP address overview revealed that this server shared SSH keys (Fingerprint:
4b135301d2bcef2a32ae5f3e035b7df1e76d4b288f7cda69784d95ee860e3ad7) with over 100 other servers, many
of which were on the same ASN. While this does not necessarily indicate that all these IPs are malicious, it
represents an interesting pattern that warrants further investigation.
https://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies
Page 3 of 9

Figure 3: Associations page showing servers sharing the same SSH key (Hunt).
Case Example: 158.247.200[.]45:80 &:443 - chrome.exe
Hosted in South Korea and part of The Constant Company, LLC network, 158.247.200[.]45 reveals signs that
the actor may still be in a testing phase. This assumption is primarily based on file names in the directory, such as
test.exe and test2.bat, which suggest ongoing experimentation.
https://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies
Page 4 of 9

Figure 4: Screenshot of files on 158.247.200[.]45 (Hunt).
The directory also contains chrome.exe and chrome.bat, which are likely intended to mimic the Google Chrome
browser. Further analysis of chrome.exe in VirusTotal shows that the file has also been uploaded as svchost.exe,
another well-known Windows process often used to blend in.
https://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies
Page 5 of 9

Figure 5: Snippet of VirusTotal Details showing the different filenames for the XWorm sample (VirusTotal).
Many files discovered through AttackCapture™ can be inspected directly without downloading. For example,
chrome.bat, shown in Figure 6, appears designed to disable Windows Defender-likely in preparation for
executing chrome.exe. Notably, the script contains comments in the Korean language, offering further evidence
of the possible origin of the threat actor.
https://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies
Page 6 of 9

Figure 6: Contents of chrome.bat, including Korean language comments.
Case Example: 216.173.64[.]63:4646 - pdf.bat
While AttackCapture™ includes over 300 XWorm samples available for download, we've chosen to focus on a
select few that provide unique insights into attacker behavior. Users are encouraged to explore the entire collection
in Hunt for a deeper dive.
Notable filenames among the samples include uidiscord.exe, JavaX-Helper.exe, and Updater.exe, each
reflecting a common theme of disguising malicious payloads as trusted software.
The final server of interest, 216.173.64[.]63 , is hosted by Evoxt Enterprise in the United States. This IP recently
drew the attention of researcher Karol Paciorek, who reported its involvement in a scam promoting fake gift
cards. Upon closer inspection, these gift cards were merely shortcuts that downloaded a batch script concealing
XWorm.
The malware then leveraged the compromised system to exfiltrate data directly to a Telegram account.
https://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies
Page 7 of 9

Figure 7: Snippet of the pdf.bat file from the XWorm associated open directory (Hunt).
Conclusion
While this post focused on XWorm, examining open directories provides broader insights into how attackers stage
and distribute malware. These directories, often unintentionally exposed, reveal the tactics used to disguise
malicious files as legitimate software to deceive users. Understanding these tactics helps defenders to better
detect, mitigate, and respond to such threats.
Defense Recommendations:
Monitor for External Open Directories: Use internet intelligence tools to monitor for open directories
that might host malicious files targeting your organization or its supply chain.
File Reputation and Whitelisting: Employ reputation services like VirusTotal and implement application
allowlisting to prevent unverified or suspicious executables from running.
https://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies
Page 8 of 9

Strengthen Endpoint Defense: Ensure Endpoint Detection and Response (EDR) solutions are in place and
tuned to detect typical behaviors of malicious scripts, such as disabling security features or using
misleading filenames.
Network Observables
IP Address
Hosting
Country
ASN XWorm Filename Notes
158.247.200[.]45:443 KR
The
Constant
Company,
LLC
chrome.exe
Likely meant to dupe
users looking to
download the Google
Chrome browser.
216.173.64[.]63:4646 CN
Evoxt
Enterprise
US
Part of a previous
phishing campaign
delivering gift cards
which in reality were
XWorm.
103.230.121[.]82 TH
Bangmod
Enterprise
Co., Ltd.
SecurityHealthService.exe
Spoofs the legit
Windows process
responsible for handling
notifications about the
security health of a
system.
Source: https://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies
https://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies
Page 9 of 9