Hackers Use PyInstaller and AMSI Patching to Deliver XWorm RAT v7.4

Researchers at Point Wild report a campaign delivering XWorm V7.4 through PyInstaller-compiled payloads that use AMSI memory patching, fake anti-analysis routines, and encrypted embedded payloads to evade detection. The malware unpacks to %LOCALAPPDATA% as Win.Kernel_Svc_AJ8iOw.exe, establishes an AES-encrypted C2 channel to 68.219.64.89:4444, and provides remote access capabilities including password theft, file scanning/exfiltration, webcam activation, DDoS, and dropping afacan313131.exe; IOCs include BA4Q6ACPMNrd980FwZn9iEbEqkjvRmw7FhW.pyc, Win.Kernel_Svc_AJ8iOw.exe, afacan313131.exe, and the C2 IP/port.