Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails
Essential information
- Published
- 10/02/2026 18:02
- Modified
- 11/02/2026 11:05
- Tags
- 2026-02-10 CVE-2018-0802 aes encryption fileless phishing process-hollowing xworm
- Related entities
- 2 vulnerabilities (cve), 8 observables, 20 techniques (mitre), 1 malware, 2 others
Description
A sophisticated phishing campaign delivering XWorm RAT has been identified. The attack chain begins with themed emails containing malicious Excel attachments exploiting CVE-2018-0802. When opened, the file downloads an HTA file, which executes PowerShell code to retrieve a fileless .NET module. This module then uses process hollowing to inject the XWorm payload into Msbuild.exe. XWorm 7.2 employs encrypted C2 communication and offers extensive features through plugins, including system control, data theft, DDoS capabilities, and ransomware functionality. The analysis reveals XWorm's modular architecture and advanced evasion techniques, highlighting it as a significant threat.