Features a "clipper" module that monitors the system clipboard and replaces cryptocurrency wallet addresses with the attacker's own.
Injects the XWorm payload into legitimate system processes to hide its activity.
Capable of launching Distributed Denial of Service attacks and functioning as basic ransomware by encrypting files. Technical Analysis of the v3.1 Update xworm v31 updated
Includes real-time screen recording, webcam access, audio monitoring, and keylogging.
Uses "Living off the Land" binaries (LOLBins) like Msbuild.exe and PowerShell to execute code in memory, bypassing traditional disk-based antivirus. Features a "clipper" module that monitors the system
The updated v3.1 variant provides attackers with comprehensive control over a compromised Windows system. Its primary features include:
Exfiltrates browser credentials, cookies, Wi-Fi keys, and Discord/Telegram tokens. Technical Analysis of the v3
Often delivered via phishing emails with malicious attachments (e.g., weaponized Excel files or PDFs).