Skip to main content

Netskope reveals XWorm V6: evasion and AMSI bypass

July 28, 2025

The latest blog post by Netskope Threat Labs discusses the emergence of version 6.0 of XWorm malware, revealing new capabilities and its ongoing evolution. This update is relevant for IT decision-makers concerned with malware threats and cybersecurity defenses.

Key Findings

The new variant of XWorm indicates that this malware remains actively developed and may be utilized shortly. Version 6.0 has added features specifically for evasion and persistence, enhancing its ability to avoid detection.

This updated variant includes a new approach to bypass the Antimalware Scan Interface (AMSI) by modifying CLR.DLL in memory, facilitating stealthy operation.

VBScript Dropper

XWorm 6.0 begins its infection through a VBScript file likely delivered via social engineering. The VBScript reconstructs an obfuscated payload that ultimately executes malicious actions, including downloading additional scripts.

The dropped VBScript executes commands to remove its metadata, run PowerShell scripts, and establish persistence through registry modifications.

Persistence

To maintain persistence, XWorm 6.0 stores a copy of itself in specific folders and adds registry entries to ensure it executes on system startup. This marks a change from previous versions that used scheduled tasks for persistence.

The malware's client builder provides flexibility in selecting methods for maintaining access, indicating that various persistence techniques may be deployed in future variants.

AMSI Bypass Through CLR.DLL Patching

The PowerShell script performs an AMSI bypass by altering the CLR.DLL in memory to prevent malware analysis. It replaces specific strings associated with detection methods, thus avoiding AMSI scrutiny.

XWorm V6.0

This version retains its core operational framework while integrating enhancements. Notably, its configuration is now retrieved from a base-64 encoded string, and it employs a static C2 server.

XWorm Running as a Critical Process

XWorm can designate itself as a critical process, making it resistant to termination by unprivileged users. This is achieved through checks for administrative privileges and employing specific Windows privileges to secure its operation.

Anti-Analysis

New anti-analysis techniques have been added; for instance, the malware will terminate if it detects execution in older Windows systems, possibly to evade analysis.

Netskope Detection

Netskope has provided detection capabilities for this evolving threat through its advanced threat protection services.

Conclusions

The latest version of XWorm exhibits new characteristics, such as critical process marking and enhanced evasion methods, emphasizing the need for improved detection strategies. These insights could assist defenders in recognizing and mitigating XWorm threats in their networks.

IOCs

Indicators of Compromise (IOC) related to XWorm can be accessed in the Netskope GitHub repository, which houses relevant scripts and IOCs.