XWorm V6: Advanced Evasion and AMSI Bypass Capabilities Revealed
Essential information
- Published
- 30/07/2025 19:01
- Modified
- 30/07/2025 19:20
- Tags
- 2025-07-30 amsi bypass anti-analysis evasion in-memory execution malware persistence xworm
- Related entities
- 4 observables, 8 techniques (mitre), 1 malware
Description
A new version of XWorm malware (version 6.0) has been discovered, showcasing advanced features for persistence and evasion. The infection chain begins with a VBScript that downloads and executes a PowerShell script. This script implements an AMSI bypass by modifying CLR.DLL in memory, then downloads and loads the XWorm binary. The latest version includes the ability to run as a critical process, preventing termination without admin privileges. It also introduces new anti-analysis techniques, such as terminating on Windows XP and detecting execution in data centers or hosting providers. The malware maintains its in-memory execution and continues to employ various evasion techniques.