Xworm 3.1 May 2026

XWorm 3.1 – Technical Overview

Registry

Once a system is compromised, Xworm 3.1 can perform a wide range of intrusive activities:

URLs for distribution and the inclusion of cryptocurrency-stealing clipboard hijackers. Tinexta Defence (Malware Lab Report): Provides a Technical Analysis of XWorm xworm 3.1

id=base64(ComputerName+Username)&data=AES_encrypted_command_output XWorm 3

XWorm 3.1 communicates with the Command and Control (C2) server via TCP or WebSocket on custom ports (often configurable, e.g., 4000, 5000). : Sold on underground forums, making it accessible

• Registry Run Keys: Adding an entry to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
• Scheduled Tasks: Creating a task to launch the executable at user logon.
• Startup Folder: Copying a shortcut to the Windows Startup folder.

: Sold on underground forums, making it accessible to low-level "script kiddies" and organized groups alike. Defensive Recommendations To protect against XWorm and similar RATs: Use Endpoint Protection

Execution

: Clicking a link in the PDF downloads an executable that initiates the infection.