JOIN NOW
JOIN NOW

Xworm V31 Updated

Xworm v31 Updated: What’s New?

In a significant move to enhance user experience and functionality, the developers behind Xworm have announced the release of Xworm v31. This latest version comes with a slew of updates and improvements aimed at both new users and long-time enthusiasts of the software.

Key Features of Xworm v31

The v31 update of Xworm introduces several key features and improvements:

  1. Enhanced Performance: The update boasts significant performance enhancements, ensuring that Xworm operates more smoothly and efficiently. Users can expect faster load times and a more responsive interface. xworm v31 updated

  2. Security Updates: With the digital landscape constantly evolving, security remains a top priority. Xworm v31 includes the latest security patches and features designed to protect user data and ensure safe operation.

  3. New User Interface: The user interface has received a makeover, making it more intuitive and user-friendly. The new design aims to streamline navigation and make it easier for users to access the features they need.

  4. Additional Features: [Here, specify any new features being introduced, such as improved compatibility with certain systems, new functionality, or enhanced customization options.] Xworm v31 Updated: What’s New

  5. Bug Fixes: The update addresses several bugs and issues reported by users, providing a more stable and reliable experience.

Network Indicators (Zeek/Suricata)

  • JA3 Signatures: Look for TLS fingerprints associated with XWorm v31. The new handshake uses a unique cipher suite order: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 followed by TLS_EMPTY_RENEGOTIATION_INFO_SCSV.
  • HTTP POST URIs: Requests to /gate.php or /panel/gate.asp with a User-Agent string of Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) – a fake Internet Explorer 11 UA.

What’s New in XWorm v31 (Updated)?

The "Updated" tag attached to v31 is critical. According to reverse engineering samples captured in the wild (SHA256 hashes beginning with A4F3... and B8C1...), developers have focused heavily on OPSEC (Operational Security) for the attacker and Evasion for the malware.

2. Restrict PowerShell

Implement Constrained Language Mode (CLM) and log all PowerShell scripts (Script Block Logging). XWorm v31’s AMSI bypass fails if PowerShell v7 is used instead of Windows PowerShell 5.1. v3.1 refines these rough edges

Part 1: What is XWorm? A Brief History

Before dissecting the update, it is crucial to understand the baseline. XWorm emerged in 2022 as a .NET-based RAT. Unlike nation-state malware that targets specific entities, XWorm is a "commodity malware"—cheap, effective, and sold openly on Telegram and dark web forums.

The original version featured:

  • Remote desktop control (Hidden Desktop)
  • Keylogging and clipboard hijacking
  • Webcam and microphone capture
  • File management (upload/download/execute)
  • Reverse proxy for network pivoting

Version 3.0 introduced anti-debugging and process hollowing. Now, v3.1 refines these rough edges, making detection by legacy antivirus (AV) solutions nearly impossible without behavioral analysis.