XWorm is a remote access trojan (RAT) distributed under a malware-as-a-service model and has been linked to the ClickFix campaign. Known for its stealth and versatility, XWorm enables attackers to gather sensitive data, hijack Metamask and Telegram sessions, and monitor user activity on compromised Windows devices. The malware typically spreads through phishing emails containing harmful links or attachments. Once deployed, it ensures persistence through startup entries, obfuscates its components to evade detection, and communicates with threat actor infrastructure via designated command-and-control (C2) servers.

Trojan:Win64/Xworm!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.M!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.A!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.AH!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.DA!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.GV!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.GM!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.MX!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

XWorm is a remote access trojan (RAT) distributed under a malware-as-a-service model and has been linked to the ClickFix campaign. Known for its stealth and versatility, XWorm allows threat actors to gather sensitive data, hijack Metamask and Telegram sessions, and monitor user activity on compromised Windows devices. 

The XWorm spreads through phishing emails containing harmful links or attachments. Once deployed, it ensures persistence through startup entries, obfuscates its components to evade detection, and communicates with threat actor infrastructure via designated command-and-control (C2) servers. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.EB!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.GPA!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.GVA!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.GZK!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.GZM!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.GXF!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.AXM!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.ZAP!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family. 

Trojan:Win64/XWorm.CVL!MTB is a multi-functional malware-as-a-service remote access trojan (RAT) linked to ClickFix campaign that establishes persistence on Windows devices. This is done by creating files in user directories like C:\Users\Public\jsc.exe and placing a malicious .url file in the Startup folder. It modifies Windows Registry keys to maintain control and communicates with its command-and-control infrastructure, including the IP address 192[.]3.182.92[:]7006 and domain kribyrisk[.]com. The XWorm’s capabilities include launching remote commands for Windows shutdown, keylogging, screen capture, DDoS attacks, and downloading additional payloads, providing threat actors with comprehensive control over infected devices. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying solely on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the XWorm family.