{ "id": "396eabd7-ffdb-443d-8f1d-23ffe2832ded", "created_at": "2026-04-06T00:13:04.928441Z", "updated_at": "2026-04-10T13:11:20.885259Z", "deleted_at": null, "sha1_hash": "e5c2848846cf5520679ce5c4e526a8d6dee5a19c", "title": "XWorm Malware: Exploring C\u0026C Communication", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75932, "plain_text": "XWorm Malware: Exploring C\u0026C Communication\r\nBy Igal Lytzki\r\nPublished: 2023-11-21 · Archived: 2026-04-05 22:32:10 UTC\r\nIn this article, our guest author Igal Lytzki (0xToxin on Twitter) will explore and understand the dynamics\r\noccurring when a successful connection is established between the XWorm operating server and a user who has\r\nfallen victim to executing this malware. \r\nThroughout this article, Igal will investigate the encryption of the communication between the client and the\r\nserver, uncover the methods to decrypt it, and identify the potential data and commands the server can transmit to\r\nthe client. \r\nLet’s get started! \r\nWhat is XWorm malware? \r\nXWorm is a Remote Access Trojan (RAT) malware, specifically targeting Windows operating systems. It provides\r\nthe operator with an extensive array of so-called “plugins” designed to infect users upon successful connection. \r\nThis malware has been active for quite a while now, a fact reflected in ANY.RUN’s weekly upload analytics they\r\nshare on twitter:\r\nXWorm Initial Connection \r\nAs previously noted, the purpose of this article is an examination of the occurrences post-establishment of a new\r\nconnection by the XWorm operating server.  \r\nFor those seeking a deep understanding of the XWorm code, such as persistence techniques and configuration\r\nextraction, read this detailed XWorm technical analysis in ANY.RUN’s blog. \r\nThe current article is based on this ANY.RUN analysis. Feel free to join us in real-time analysis by filtering with\r\nthe Process ID 2932.\r\nhttps://any.run/cybersecurity-blog/xworm-malware-communication-analysis/\r\nPage 1 of 11\n\nWe’ll focus on a process with ID 2932 \r\nAnalyzing the code of the XWorm payload, a specific class surfaces as the chief handler of the communication\r\nprocess with the server, termed the ClientSocket class in our context:\r\nClientSocket class interface detailing server communication methods in XWorm payload \r\nOn its initial run on the victim’s computer, XWorm initiates a connection to a remote server, the details of which\r\nare located in the MalConf section on the ANY.RUN scan: \r\nhttps://any.run/cybersecurity-blog/xworm-malware-communication-analysis/\r\nPage 2 of 11\n\nXWorm malware configuration in ANY.RUN \r\nThe transmitted communication data appears as follows:\r\nTransmitted communication data \r\nExamining the code reveals that it can be splitted into two principal segments: \r\n1. The data length (initial byte sequence up to the 0x00 byte) \r\n2. The encrypted data \r\nIllustrated in the above scenario, the data length stands at 272 (expressed in decimal value). \r\nThe encryption employed is AES-ECB (without padding), and the encryption key is the MD5 hash of a\r\nconfiguration variable decrypted during the malware’s execution. In our case it’s \u003cGuage12\u003e. \r\nDecrypting the data XWorm transmits to the server \r\nEquipped with this, we can hash the key and attempt to decrypt the data transmitted to the server: \r\nhttps://any.run/cybersecurity-blog/xworm-malware-communication-analysis/\r\nPage 3 of 11\n\nA script to decrypt the communication \r\nA script to decrypt the communication can be accessed here. \r\nWe can see that the first batch of data sent to the server has several fields. These can be split by using the splitter,\r\nfound under the MalConf section. By comparing this with the malware’s code, we can understand what each field\r\nrepresents: \r\nID: This is the MD5 hash of the following values strung together:  \r\nProcessor Count \r\nUserName \r\nMachineName \r\nOS Version \r\nTotal size of C: drive \r\nUserName: The user’s identifier. \r\nOS: Information about the Operating System. \r\nVersion: Details about the version. \r\nLast Write Time to the Executable: Shows the last time the executable file was changed. \r\nExecution from Persistence: Shows if it ran from persistence. \r\nAdmin Status: Shows if it is running with administrative privileges. \r\nCamera Check: Checks for a camera’s presence. \r\nCPU Info: Provides information about the Central Processing Unit. \r\nGPU Info: Provides details about the Graphics Processing Unit. \r\nRAM Info: Provides information on available Random Access Memory. \r\nAV’s Info: Provides details about installed antivirus software. \r\nAfter the necessary information has been sent to the XWorm server and the client is added to the infection panel,\r\nthe attacker can use a wide range of plugins on the client. \r\nInfo Stealer Plugin \r\nExamining the code structure of the XWorm binary, which was injected and operated under RegAsm.exe (PID\r\n2932), reveals that it operates through the invocation of seven main classes during its execution: \r\nAlgorithmAES: Responsible for decrypting data. \r\nClientSocket: Manages the establishment of connections to the remote server. \r\nHelper: A class populated with numerous functions invoked by other classes. \r\nMessages: Handles data received from the server, including the execution of plugins. \r\nXlogger: Serves as the keylogger function. \r\nUninstaller: Facilitates the uninstallation of the binary. \r\nhttps://any.run/cybersecurity-blog/xworm-malware-communication-analysis/\r\nPage 4 of 11\n\nMain. \r\nEach of these classes plays a significant role in the operation and execution of the malware, collectively allowing\r\nit to function efficiently and achieve its malicious objectives. \r\nA list of classes. Each plays a significant role in execution of the malware \r\nWhen examining the traffic between the client and the server, an unusually large packet being transmitted from the\r\nserver to the client becomes evident: \r\nSnapshot of large data packet transfer in client-server traffic analysis\r\nUpon downloading and decrypting this packet, it is revealed that the received command is to store a plugin. This\r\nplugin is stored as a .gz archive which, once uncompressed, unveils an executable: \r\nhttps://any.run/cybersecurity-blog/xworm-malware-communication-analysis/\r\nPage 5 of 11\n\nDecryption of a .gz archive plugin command in malware payload analysis\r\nProperties of a .NET DLL revealing its info-stealing capabilities post-decompression\r\nThis executable is a .NET based DLL. A closer inspection of the code discloses that this DLL is an extensive\r\ninfostealer, endowed with several theft capabilities such as: \r\nCapturing Credit Card Information \r\nHarvesting Chromium Cookies \r\nAcquiring Discord Tokens \r\nExtracting FileZilla Credentials \r\nAccessing Browser Data \r\nCollecting Browser History \r\nRetrieving WiFi Passwords \r\nCompromising MetaMask \r\nCompromising Telegram \r\nand more. \r\nhttps://any.run/cybersecurity-blog/xworm-malware-communication-analysis/\r\nPage 6 of 11\n\nClass list from Recovery DLL showcasing various data extraction functions \r\nCommands Plugin \r\nContinuing our examination of the traffic between the client and the server, we identify another packet of\r\ninterest(smaller than the previous one but still unusual) that warrants a closer look:\r\nhttps://any.run/cybersecurity-blog/xworm-malware-communication-analysis/\r\nPage 7 of 11\n\nData packet capture highlighting another notable command plugin in network traffic analysis. \r\nBy applying the same decryption and uncompression processes, we uncover another executable:\r\nDecryption output revealing executable code\r\nDetails of a .NET DLL with potential to execute various malicious actions\r\nhttps://any.run/cybersecurity-blog/xworm-malware-communication-analysis/\r\nPage 8 of 11\n\nThis is another .NET based DLL, which suggests a range of potential actions that the adversary might want to\r\nexecute: \r\nDisabling or terminating Windows Defender. \r\nExcluding a path from Windows Defender scans. \r\nInstalling the .NET framework. \r\nBlanking the screen. \r\nAnd more.\r\nOptions.dll functions revealing malicious capabilities including screen blanking and system\r\ndisruption \r\nReviewing the Threats section in the ANY.RUN analysis, it is noted that numerous malicious activities were\r\ndetected during the malware’s execution, including the identification of XWorm’s request commands for\r\nsendPlugin and savePlugin.\r\nhttps://any.run/cybersecurity-blog/xworm-malware-communication-analysis/\r\nPage 9 of 11\n\nCommand and control activity with sendPlugin and savePlugin requests in ANY.RUN\r\nIOCs\r\nFileName  SHA256 \r\nmsbuilds.exe  f58193da4f61b45e375f5aa2978b08908578b5151dc779dc4b566e6a941e802b \r\nRecovery.dll  0ee68c8008e2a8d6252db3d3b1a1b0179e1f868b0b3240bbcec3d1c29d5364fb \r\nOptions.dll  7df14d2929a500eec6a144ec8e687960bbea047f9a78a46ea64faa1fa28f8724 \r\nMITRE ATT\u0026CK\r\nTactic  Technique \r\nCOLLECTION  Archive Collected Data::Archive via Library T1560.002 \r\nCREDENTIAL ACCESS  Credentials from Password Stores::Credentials from Web Browsers T1555.003 \r\nDEFENSE EVASION  Deobfuscate/Decode Files or Information T1140 \r\nDEFENSE EVASION  Obfuscated Files or Information T1027 \r\nDEFENSE EVASION  Reflective Code Loading T1620 \r\nDISCOVERY  File and Directory Discovery T1083 \r\nDISCOVERY  Process Discovery T1057 \r\nDISCOVERY  Query Registry T1012 \r\nDISCOVERY  System Information Discovery T1082 \r\nDISCOVERY  System Location Discovery T1614 \r\nEXECUTION  Shared Modules T1129 \r\nEXECUTION  Windows Management Instrumentation T1047 \r\nC2\r\nhttps://any.run/cybersecurity-blog/xworm-malware-communication-analysis/\r\nPage 10 of 11\n\n140.228.29[.]162:7900 \r\nIgal Lytzki\r\nIgal Lytzki\r\nThreat Analyst \u0026 team leader. Malware researcher in my spare time.\r\nigal-lytzki\r\nIgal Lytzki\r\nThreat Analyst\r\nThreat Analyst \u0026 team leader. Malware researcher in my spare time.\r\nSource: https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/\r\nhttps://any.run/cybersecurity-blog/xworm-malware-communication-analysis/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/" ], "report_names": [ "xworm-malware-communication-analysis" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434384, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e5c2848846cf5520679ce5c4e526a8d6dee5a19c.pdf", "text": "https://archive.orkl.eu/e5c2848846cf5520679ce5c4e526a8d6dee5a19c.txt", "img": "https://archive.orkl.eu/e5c2848846cf5520679ce5c4e526a8d6dee5a19c.jpg" } }