Netskope Threat Labs Uncovers New XWorm’s Stealthy Techniques

Netskope Threat Labs provides a technical breakdown of XWorm v5.6, a .NET backdoor deployed via a WSF/PowerShell infection chain that uses reflective DLL loading (NewPE2) to inject XWorm into a legitimate RegSvcs.exe process, establishes a TCP socket C2 (ziadonfire.work.gd:7000), maintains persistence via a scheduled task, notifies attackers via Telegram, and exposes capabilities such as host reconnaissance, screenshot capture, hosts file modification, plugin management (including removal), and DDoS functionality, alongside IOCs and recommended detections.