We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:PowerShell/XWorm.PC!MTB
Aliases: No associated aliases
Summary
Trojan:PowerShell/XWorm.PC!MTB refers to a persistent backdoor that uses PowerShell scripts as its primary engine. Threat actors distribute this threat through phishing emails. These emails often impersonate trusted services and contain attachments that, when opened, secretly run PowerShell commands to download the malicious payload. This method allows the threat to operate with a high degree of stealth, often running in system memory to avoid leaving obvious traces on the disk. Once established, this malware provides remote control of the compromised device to a malicious actor. This can lead to data theft, surveillance, and the installation of further harmful software like ransomware. While the capabilities are severe, timely detection and response can often contain and remove the infection before critical damage occurs.
The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family.
- Immediately disconnect the infected device from all networks, including Ethernet, Wi-Fi, and Bluetooth.
- Boot the computer into Safe Mode with Networking to prevent most malware processes from starting.
- Perform a full system scan using a reputable, updated security product.
- Manually check for and remove malicious files, such as any unexpected msedge.exe in %AppData% or batch files in %Temp%.
- Use a tool like Autoruns to identify and delete malicious registry entries and scheduled tasks created for persistence.
- In an elevated PowerShell window, restore security settings. For example, run Set-MpPreference -DisableRealtimeMonitoring $false and netsh advfirewall set allprofiles state on.
- Change all passwords that were stored on or typed into the compromised device and activate multi-factor authentication.
- If files are encrypted, do not pay for the ransom. Restore your data from a clean, offline backup only after the system is disinfected.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
