Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies

This report documents discovery of XWorm RAT instances hosted in publicly exposed open directories, where attackers disguise payloads as legitimate software (e.g., chrome.exe, SecurityHealthService.exe) and use scripts to disable Windows Defender and exfiltrate data (notably to Telegram). The post catalogs samples and network observables (IP addresses, filenames), highlights operational patterns such as shared SSH keys and test artifacts, and offers detection and prevention recommendations including monitoring open directories, reputation checks, and endpoint hardening.