XWorm.

A modular .NET remote-access trojan that emerged in 2022 and became one of the most distributed commodity RATs of 2024–2025, sold openly to low-skill operators and shipped via every common phishing and loader vector. Es gehört zur Kategorie Schadsoftware der Cybersicherheit.

A modular .NET remote-access trojan that emerged in 2022 and became one of the most distributed commodity RATs of 2024–2025, sold openly to low-skill operators and shipped via every common phishing and loader vector.

XWorm is a .NET-based remote-access trojan and stealer that first appeared in 2022 and has since become one of the most distributed commodity RATs, peaking through 2024–2025. It is sold on Telegram and forums to a low-skill operator base, which is reflected in its capability set: a builder GUI lets affiliates configure clipboard hijacking (crypto-wallet replacement), keystroke logging, screen capture, credential theft from major browsers and mail clients, hidden remote desktop (HVNC), webcam capture, file transfer, command shell, and a small plug-in loader for follow-on payloads. Some XWorm builds include worm-like spreading via USB drives and Discord-token theft. Distribution leverages phishing, SmokeLoader/PrivateLoader chains, malvertising, fake-update lures, and trojanized cracks. XWorm shares lineage and code with other commodity .NET families (NanoCore, Quasar, AsyncRAT) and is often used as the second-stage payload after loaders such as GuLoader, SmokeLoader, or DBatLoader. EDR detections target its typical C2 patterns (custom TCP protocol over TLS to operator-chosen ports) and its installation footprint in `%AppData%` with scheduled-task persistence.

Schutzmaßnahmen gegen XWorm kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.

Übliche alternative Bezeichnungen: X-Worm, XWorm RAT.