Republic of the Philippines
National Police Commission
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 323:  XWorm: The RAT Malware with Ransomware Capabilities

Reference Number ACG-CSB 120523323

   The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200- 012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

XWorm is a Remote Access Trojan (RAT) malware, specifically targeting Windows operating systems. These RATs are downloaded discretely without the victim's knowledge, typically through seemingly legitimate software downloads as well as file attachments in emails. A deceived victim would open the attachment, click on the embedded URL, and launch the downloaded script. This is done by hackers to gain unauthorized access to the computers of the targeted person.

From there on, it will establish a connection with the command-and-control (C2) server, followed by downloading the malicious code to gather the system information of the victim which will be utilized for subsequent actions. Then it will utilize URL redirects to multilayer distribution with obfuscated PowerShell codes to deliver XWorm RAT payloads. One of its payloads includes hardcoded cryptocurrency coins within a file to take over and replace legitimate cryptocurrency addresses with fraudulent ones, consequently allowing the theft of crypto coins from victims. 

Additionally, the malware has an embedded PowerShell script which is responsible for bypassing Antimalware Scan Interface (AMSI) and proceeds to disable the Microsoft Windows Defender service. This allows the creation of Windows users to be added to the Remote Desktop Users group and log in via Remote Desktop Protocol, thus the hacker is now in the system. Apart from having authority over User Account Control (UAC), it can also enable and disable the Task Manager, Firewall, system updates, and invoke Blue Screen of Death (BSoD). Furthermore, the XWorm RAT has been observed by researchers to have encryption and decryption on its payload which gives them the ability to be a ransomware.

Immediately following its execution, the malware sleeps for one second, and then verifies for emulators, sandbox environments, debuggers, and mutexes. Should any of these requirements not be fulfilled, it will terminate. This malware has a well-developed process with multiple stages. It is distributed using a multi-layered approach and utilizing legitimate websites, as well as obfuscated PowerShell scripts to evade detection and make analysis more difficult. This simply implies that this distribution method is quite advanced.  

Cybersecurity researchers have uncovered a persistent phishing effort that uses a special attack sequence to infect targeted devices with the XWorm malware. The experts have noted that the activity cluster has been discovered to target manufacturing enterprises and healthcare facilities. This malware is sophisticated and persistent, highlighting the importance of strong security measures to protect against such threats. Victims of XWorm may experience financial loss, data encryption, and additional malware infections. Incorporating rapid data recovery into multilayered security provides more robust protection against ransomware schemes that exploit.


The public is advised to follow these tips to avoid being a victim of XWorm RAT Malware attacks:

  • Be cautious with emails from unfamiliar senders, especially those with suspicious attachments or links;
  • Only open attachments or click on links from trusted sources;
  • Install reputable antivirus or anti-malware software on your computer and keep it up to date;
  • Regularly update your operating system and software with the latest security patches; and
  • Deploy additional process-level logging for additional log detection coverage.

For additional information, please refer to the following websites:



            Please contact PMAJ LESLIE P JALLORINA, Police Community Relations Officer, thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us by telephone number (632) 723-0401 local 7483 for any inquiries related to this CYBER SECURITY BULLETIN.