XWorm 6.0 Unleashed: New Variant Uses AMSI Bypass & Critical Process Trick to Evade Detection and Crash Systems
A new wave of attacks leveraging the XWorm malware vividly illustrates how far threat actors have advanced in crafting tools that are both resilient to detection and resistant to analysis. The variant identified by Netskope Threat Labs—XWorm version 6.0—not only retains all the core capabilities of its predecessors but also introduces sophisticated evasion techniques, all while maintaining complete in-memory residency.
The infection chain begins with a VBScript file masquerading as a benign document, delivered through phishing messages or other social engineering tactics. This script employs runtime payload assembly using a character array passed through ChrW
into eval
, a technique that hinders static analysis. To avoid raising suspicion, it strips away Zone.Identifier metadata (which usually flags files as internet downloads) and triggers the execution of a PowerShell script planted in a temporary directory.
To ensure persistence, the malicious component replicates itself to both the TEMP and APPDATA directories as update.vbs
, registering itself in the startup registry key—a departure from earlier reliance on scheduled tasks. This PowerShell script also tampers with the CLR.DLL library, scanning memory regions and nullifying the AmsiScanBuffer
string, effectively disabling the Antimalware Scan Interface (AMSI) and allowing the malware to execute unhindered within system memory. Borrowed from open-source techniques, this maneuver ensures the stealthy execution of arbitrary code.
Subsequently, the malware fetches the core XWorm binary from a GitHub repository using the .NET HttpClient
library, loading it directly via Assembly.Load
and executing it through its entry point—all without writing a single file to disk. This fileless design renders artifact-based detection nearly futile.
The newly compiled Microsoft.exe
retains its connection to the command-and-control server via TCP, with configuration data encoded in Base64. Yet it now boasts additional enhancements to both stealth and persistence. For instance, if executed with administrative privileges (verified through the WindowsBuiltInRole.Administrator
group), the malware enables SeDebugPrivilege
and marks itself as a critical system process. Any attempt to terminate it results in a system crash and reboot, after which XWorm is relaunched via its registry entry.
Its anti-analysis mechanisms have also become more refined. Should the malware detect a Windows XP environment—a common feature in sandbox environments—it immediately ceases execution. Another tactic includes querying the IP-API service to inspect the victim’s IP address; if it originates from a hosting provider or datacenter, execution is aborted, suggesting the malware is tailored to evade automated analysis platforms such as Any.Run.
The malware’s reconnaissance phase collects hostnames, CPU and GPU specifications, and antivirus status. This information is packaged and sent to the command server. New capabilities include plugin deletion for trace cleanup, launching DDoS attacks via multithreaded POST requests, manipulating the hosts file to redirect DNS queries, and taking screenshots compressed into JPEG format using MemoryStream
and Bitmap
.
XWorm Builder now provides attackers with flexible persistence options—ranging from registry keys to scheduled tasks and startup folders. This modularity implies that while future variants may differ structurally, they will remain focused on persistence, invisibility, and system control.
Signatures identifying this new version include Gen:Variant.Jalapeno.683
and ByteCode-MSIL.Backdoor.XWorm
, with indicators of compromise (IOCs) already available for analysis. Netskope emphasizes that, since the entire operation unfolds in memory, effective defense now hinges on vigilant monitoring of system behavior—particularly registry alterations and anomalous PowerShell or .NET activity.
XWorm V6 stands as a striking example of modern malware’s evolution—abandoning the traditional file-based model and diving deeper into volatile memory, cloaking itself as legitimate processes and disabling security measures before they can even react.