: It checks for installed antivirus products and attempts to bypass User Account Control (UAC) to run with administrative privileges.
[Phishing / Exploit (Follina)] ➔ [Obfuscated .NET Loader] ➔ [Process Hollowing (RegSvcs.exe)] ➔ [XWorm 3.1 Core RAT Engine] 📂 The XWorm 3.1 Infection Lifecycle xworm 3.1
For evasion:
: Allows attackers to view and record the victim's screen in real-time. : It checks for installed antivirus products and
Once the macro is enabled, a PowerShell command is executed to retrieve the payload. distinguishes itself from previous iterations (such as 2
distinguishes itself from previous iterations (such as 2.2 or 3.0) by moving away from easily detectable HTTP/HTTPS C2 communication in favor of more robust TCP and WebSocket protocols, coupled with heavy obfuscation in its delivery mechanism. It is frequently observed being dropped by weaponized Office documents (Excel 4.0 Macros) or bundled with "cracked" software installers.
XWorm 3.1 rarely arrives as a standalone executable. Attackers typically deploy it via: