We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
TrojanDownloader:Win32/XWorm.A!MTB
Aliases: No associated aliases
Summary
TrojanDownloader:Win32/XWorm.A!MTB is a specific Win32 version of the XWorm remote access trojan (RAT). This trojan family exists within an amorphous threat ecosystem, with variants also identified in Win64 (native 64-bit Windows binary), VBS (Visual Basic Script) and MSIL (.NET framework) formats. The Win32 iteration differentiates itself as a 32-bit version of the same Win64 variants linked to ClickFix campaign that establishes persistence on Windows devices.
This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices.
The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family.
- Unplug the ethernet cable or deactivate Wi-Fi to prevent the malware from communicating with its C2 servers and exfiltrating your data.
- Once you have confirmed the system is clean, change all your passwords for sensitive accounts like email, banking, and social media, alternatively do it this from a different, trusted device.
- Check for and remove the files, registry keys, and mutexes listed in the technical analysis table above. Using a tool like Autoruns can be helpful to manage persistent entries.
- Keep a close watch on your financial and online accounts for any unauthorized actions, as this malware is designed to steal information.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
