XWorm.

A modular .NET remote-access trojan that emerged in 2022 and became one of the most distributed commodity RATs of 2024–2025, sold openly to low-skill operators and shipped via every common phishing and loader vector. 它属于网络安全的 恶意软件 分类。

A modular .NET remote-access trojan that emerged in 2022 and became one of the most distributed commodity RATs of 2024–2025, sold openly to low-skill operators and shipped via every common phishing and loader vector.

XWorm is a .NET-based remote-access trojan and stealer that first appeared in 2022 and has since become one of the most distributed commodity RATs, peaking through 2024–2025. It is sold on Telegram and forums to a low-skill operator base, which is reflected in its capability set: a builder GUI lets affiliates configure clipboard hijacking (crypto-wallet replacement), keystroke logging, screen capture, credential theft from major browsers and mail clients, hidden remote desktop (HVNC), webcam capture, file transfer, command shell, and a small plug-in loader for follow-on payloads. Some XWorm builds include worm-like spreading via USB drives and Discord-token theft. Distribution leverages phishing, SmokeLoader/PrivateLoader chains, malvertising, fake-update lures, and trojanized cracks. XWorm shares lineage and code with other commodity .NET families (NanoCore, Quasar, AsyncRAT) and is often used as the second-stage payload after loaders such as GuLoader, SmokeLoader, or DBatLoader. EDR detections target its typical C2 patterns (custom TCP protocol over TLS to operator-chosen ports) and its installation footprint in `%AppData%` with scheduled-task persistence.

针对 XWorm 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: X-Worm, XWorm RAT。