{
  "name": "XWorm V6: Advanced Evasion and AMSI Bypass Capabilities Revealed",
  "slug": "xworm-v6-advanced-evasion-and-amsi-bypass-capabilities-revealed",
  "description": "A new version of XWorm malware (version 6.0) has been discovered, showcasing advanced features for persistence and evasion. The infection chain begins with a VBScript that downloads and executes a PowerShell script. This script implements an AMSI bypass by modifying CLR.DLL in memory, then downloads and loads the XWorm binary. The latest version includes the ability to run as a critical process, preventing termination without admin privileges. It also introduces new anti-analysis techniques, such as terminating on Windows XP and detecting execution in data centers or hosting providers. The malware maintains its in-memory execution and continues to employ various evasion techniques.",
  "published": "2025-07-30T17:01:41+00:00",
  "created_at": "2025-07-30T17:01:41+00:00",
  "modified_at": "2025-07-30T17:20:01+00:00",
  "created_at_opencti": "2025-07-30T17:01:41+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-07-30",
    "amsi bypass",
    "anti-analysis",
    "evasion",
    "in-memory execution",
    "malware",
    "persistence",
    "xworm"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "e73f48fe634a0c767bd596bbd068a13be7465993633fd61ccda717a474ee2db2"
      },
      {
        "id": "",
        "name": "9dd4902099e23c380596e7061482560866e103d2a899b84e0b6ff98c44c494e4"
      },
      {
        "id": "",
        "name": "4648ce5e4ce4b7562a7828eb81f830d33ab0484392306bc9d3559a42439c8558"
      },
      {
        "id": "",
        "name": "c4c533ddfcb014419cbd6293b94038eb5de1854034b6b9c1a1345c4d97cdfabf"
      }
    ],
    "malware": [
      {
        "id": "82e2ea8e-729a-4648-ba23-3a792f53fa15",
        "name": "XWorm",
        "slug": "xworm"
      }
    ],
    "attack_patterns": [
      {
        "id": "c22b5073-f426-4294-98bb-219d17345158",
        "name": "T1553.002"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      }
    ]
  },
  "external_refs": [
    "https://www.netskope.com/blog/xworm-v6-0-enhanced-malware-protection-and-stealthy-delivery",
    "https://otx.alienvault.com/pulse/688a6c15c21f7753aad69da1"
  ]
}