We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:MSIL/XWormRAT.A
Aliases: No associated aliases
Summary
Trojan:MSIL/XWormRAT.A is a sophisticated and actively developed Remote Access Trojan (RAT) that grants threat actors comprehensive control over infected Windows devices. First identified for sale as a Malware-as-a-Service (MaaS) in mid-2022, its availability in "cracked" versions has led to widespread adoption by threat actors ranging from cybercriminal to advanced persistent threat (APT) groups. Its modular design allows it to function as a Swiss Army knife for threat actor, capable of data theft, surveillance, ransomware deployment, and further network compromise. What makes XWorm particularly challenging for defenders is its operational flexibility and relentless evolution. The malware rarely travels alone; it is delivered alongside other malware families, particularly other RATs, creating layered and persistent threats on compromised devices.
- Immediately disconnect the infected device from all networks, including Ethernet, Wi-Fi, and Bluetooth.
- Manually review and delete malicious scheduled tasks, startup items, and registry Run keys created by the malware.
- From a clean device, change all passwords for accounts accessed on the infected system, prioritizing email, banking, and network logins.
- Use a tool like Autoruns to identify and delete malicious registry entries and scheduled tasks created for persistence.
- In an elevated PowerShell window, restore security settings. For example, run Set-MpPreference -DisableRealtimeMonitoring $false and netsh advfirewall set allprofiles state on.
- Change all passwords that were stored on or typed into the compromised device and activate multi-factor authentication.
- If files are encrypted, do not pay for the ransom. Restore your data from a clean, offline backup only after the system is disinfected.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
