This article provides a comprehensive overview of the updated XWorm V31, its new capabilities, infection vectors, and crucial mitigation strategies for 2026. 1. What is XWorm? (Overview)
– Traffic to domains such as assets.guns.lol, cdn.discordapp.com, and other legitimate-looking domains used for malicious payload hosting
XWorm v31 utilizes a novel ntdll.dll unhooking technique. It remaps the ntdll section from a known clean svchost.exe to overwrite Microsoft’s Antimalware Scan Interface (AMSI) hooks. This allows PowerShell scripts to run without being scanned. xworm v31 updated
xWorm v3.1 is a sophisticated Remote Access Trojan (RAT) that operates as Malware-as-a-Service (MaaS). Originally appearing in late 2022 and early 2023, it has evolved significantly from its early iterations to become a highly versatile tool for data exfiltration, system surveillance, and malware distribution. Point Wild Overview of Version 3.1
While version numbers can vary in reports (V6, V6.4), the most updated "v31" iteration embodies the culmination of this evolution, featuring a potent mix of stealth, resilience, and destructive capability. This article provides a comprehensive overview of the
If you suspect a file is malicious, you can view online analysis results on Hybrid Analysis to check its behavior safely.
The defining characteristic of updated XWorm versions is their sophisticated suite of anti-analysis and evasion techniques, specifically designed to bypass modern security tools and avoid detection by security researchers and automated sandboxes. (Overview) – Traffic to domains such as assets
XWorm is a Malware-as-a-Service (MaaS) tool widely advertised on underground forums. While earlier versions were notorious for their aggressive spread via USB infections, version 3.1 marks a strategic pivot. The author, known online as "Builder" or "xWorm," has shifted focus away from self-propagation toward a stealthier, more stable, and feature-rich Remote Access Trojan (RAT) designed for data exfiltration and payload delivery.
xWorm can disable security features like User Account Control (UAC) and Windows Firewall, and even grant itself "critical system process" status to crash the OS if someone tries to terminate it.
XWorm has a built-in propagation module that spreads to any removable drives connected to the infected system, using malicious shortcuts and autorun features to extend the infection to new devices.