Xworm V31 Updated [new] Jun 2026

v3.1 introduces a robust plugin architecture located in the HKEY_CURRENT_USER\Software\XWorm registry key. The malware can download and execute plugins directly into memory (RAM), leaving no trace on the hard drive. Common plugins include:

If you are not running a modern EDR with behavioral heuristics, and if your users are not trained to spot ISO/LNK phishing lures, you are vulnerable. Update your defenses today, because the worm is turning—faster than ever. xworm v31 updated

rule XWorm_v31_Mutex strings: $mutex = "XWorm_31_Global_Mutex" wide ascii $api = "EnumWindows" wide ascii $net = "SendKeys" wide ascii condition: $mutex and $api and $net Update your defenses today, because the worm is

XWorm v3.1 is an updated version of a Remote Access Trojan (RAT) Update your defenses today

While primarily targeting Windows, version 3.1 includes specific user agents for communicating with Command-and-Control (C2) servers for both Windows and Mac environments.