We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win64/XWormRAT!MTB
Aliases: No associated aliases
Summary
XWorm is a remote access trojan (RAT) distributed under a malware-as-a-service model and has been linked to the ClickFix campaign. Known for its stealth and versatility, XWorm allows threat actors to gather sensitive data, hijack Metamask and Telegram sessions, and monitor user activity on compromised Windows devices.
The XWorm spreads through phishing emails containing harmful links or attachments. Once deployed, it ensures persistence through startup entries, obfuscates its components to evade detection, and communicates with threat actor infrastructure via designated command-and-control (C2) servers.
The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
