XWorm.

A modular .NET remote-access trojan that emerged in 2022 and became one of the most distributed commodity RATs of 2024–2025, sold openly to low-skill operators and shipped via every common phishing and loader vector. It belongs to the Malware category of cybersecurity.

A modular .NET remote-access trojan that emerged in 2022 and became one of the most distributed commodity RATs of 2024–2025, sold openly to low-skill operators and shipped via every common phishing and loader vector.

XWorm is a .NET-based remote-access trojan and stealer that first appeared in 2022 and has since become one of the most distributed commodity RATs, peaking through 2024–2025. It is sold on Telegram and forums to a low-skill operator base, which is reflected in its capability set: a builder GUI lets affiliates configure clipboard hijacking (crypto-wallet replacement), keystroke logging, screen capture, credential theft from major browsers and mail clients, hidden remote desktop (HVNC), webcam capture, file transfer, command shell, and a small plug-in loader for follow-on payloads. Some XWorm builds include worm-like spreading via USB drives and Discord-token theft. Distribution leverages phishing, SmokeLoader/PrivateLoader chains, malvertising, fake-update lures, and trojanized cracks. XWorm shares lineage and code with other commodity .NET families (NanoCore, Quasar, AsyncRAT) and is often used as the second-stage payload after loaders such as GuLoader, SmokeLoader, or DBatLoader. EDR detections target its typical C2 patterns (custom TCP protocol over TLS to operator-chosen ports) and its installation footprint in `%AppData%` with scheduled-task persistence.

Defences for XWorm typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: X-Worm, XWorm RAT.