Fast Facts

• XWorm 6.0 is a modular malware with more than 35 attack plugins.
• First seen in 2022, XWorm is linked to the threat actor EvilCoder and now reappeared after a brief disappearance.
• Distributed mainly via phishing emails and fake software installers.
• The new version fixes previous vulnerabilities and expands features, including ransomware and credential theft.
• Malware operators have even been caught infecting each other with trojanized XWorm builders.

The Hydra of Malware: XWorm's Many Heads

Imagine a digital Swiss Army knife, but every blade is designed for crime. This is XWorm 6.0: a modular, ever-evolving malware suite that’s once again stalking the internet’s shadows. Born in 2022 and crafted by the elusive EvilCoder (later going by XCoder), XWorm was already infamous for its flexibility. Now, after a brief hiatus and rumors of its demise, the malware has reemerged - stronger, stealthier, and more dangerous than ever.

XWorm’s strength lies in its plug-and-play architecture. Once it infects a computer - usually through a phishing email or a fake download - it can load any combination of over 35 specialized plugins straight into memory. These range from tools that steal browser passwords and Wi-Fi keys to those that record keystrokes, spy through webcams, or even encrypt files for ransom. There’s a plugin for everything: remote desktop control, file system manipulation, and even a rootkit for deep concealment.

From Darknet Market to Global Menace

The malware’s journey is almost cinematic. After its original developer vanished from Telegram in 2024, XWorm’s future seemed uncertain. But the criminal underworld abhors a vacuum. Soon, cracked versions of XWorm began circulating, some laced with malware meant to target other hackers - a kind of digital cannibalism. Meanwhile, new variants like the Chinese XSPY appeared, and researchers discovered a critical flaw that let anyone with the right key take over infected machines.

In June 2025, a figure calling themselves XCoderTools announced XWorm 6.0 for sale on cybercrime forums. The price? $500 for a lifetime license. The code was “fully re-coded,” boasting fixes for old vulnerabilities and a fresh arsenal of plugins. Who exactly is behind this latest resurrection remains murky, but the malware’s capabilities are crystal clear.

Technical Terror, Simplified

XWorm 6.0 operates like a remote-controlled robot army. When a victim opens a malicious file, the malware quietly injects itself into a trusted Windows process, making detection tricky. It then connects to its control server, ready to accept commands. Want to steal credentials from Chrome - even those protected by app-specific encryption? There’s a plugin for that. Need to launch a ransomware attack or spy via webcam? Just issue a command.

The malware is also a team player, often serving as a launching pad for other threats like DarkCloud Stealer or Remcos RAT. Ironically, even XWorm’s own creators and users have fallen prey to infected versions of their own tool - a stark reminder that in the criminal ecosystem, even the hunters can become the hunted.

WIKICROOK

• Modular Malware: Modular malware is malicious software built in separate parts, letting attackers add or swap features to better evade detection and adapt to targets.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Rootkit: A rootkit is stealthy malware that hides itself on a device, allowing attackers to secretly control the system and evade detection.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Ransomware: Ransomware is malicious software that encrypts or locks data, demanding payment from victims to restore access to their files or systems.