XWorm V6 Malware Evades Detection, Hits Windows Users

A newly discovered XWorm V6 malware variant has surfaced in active attacks against Windows users, showcasing advanced anti-analysis features and memory-only execution. Security researchers at Netskope uncovered the strain following a year-long investigation into XWorm’s development. The XWorm V6 malware evades detection through obfuscated VBScript droppers and runtime payload reconstruction via reversed character arrays.

The malware initiates infection by embedding itself in system folders and modifying registry keys for startup persistence. Unlike earlier versions that used scheduled tasks, this variant deploys dual-location persistence and process protection. XWorm V6 malware evades detection further by bypassing Microsoft’s Antimalware Scan Interface, overwriting AMSI memory signatures within the CLR.DLL.

The malware also attempts to mark itself as a critical process, complicating termination efforts and increasing system risk. These enhancements reflect a heightened level of sophistication, posing increased challenges for defenders and analysts.

Read the full report for technical details and indicators of compromise:

New XWorm V6 Variant’s With Anti-Analysis Capabilities Attacking Windows Users in The Wild