Update: XWorm RAT Expands Capabilities with Advanced Loaders, Stagers, and Ransomware Deployment
The XWorm RAT, a well-known tool in the cybercrime space, has advanced its techniques, combining new stagers and loaders to bypass modern security defenses and expand its reach across Windows environments. Recent campaigns demonstrate XWorm working in tandem with AsyncRAT to gain initial access before deploying ransomware payloads crafted from the leaked LockBit Black builder, drawing tactical similarities to the LockBit ransomware group. Attackers are targeting sectors, including the software supply chain and gaming industries, using phishing emails disguised as business notifications to convince users to open malicious attachments. These attachments come in varied formats—PowerShell scripts, VBS files, batch files, [.]NET executables, JavaScript, and Office macros—each capable of bypassing detection through obfuscation, encryption, and sandbox evasion. Once executed, the malware chain unpacks itself using AES encryption and Base64 encoding while actively disabling security features such as Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) to avoid detection during runtime. Once inside the system, XWorm collects system and security data using Windows Management Instrumentation (WMI), looking for antivirus products, GPU configurations, and video drivers. It modifies system settings to exclude itself from Microsoft Defender scans and employs persistence techniques, such as registry run keys, scheduled tasks, and startup folder shortcuts, to survive reboots. Its operators control infected machines through command-and-control servers, enabling remote command execution, data exfiltration, keylogging, screenshot capture, and process injection. XWorm also spreads via removable drives and utilizes DLL side-loading to conceal itself within legitimate processes. Researchers have analyzed over 1,000 malware samples in recent campaigns, demonstrating the threat’s scale and evolution. Defenders are urged to deploy detection mechanisms focused on suspicious PowerShell behavior, renamed scripting engines, and irregular command-line activity to uncover and block XWorm infections before ransomware or broader system compromise occurs.
RingReaper Malware Exploits io_uring to Evade Linux EDR Detection
A newly developed Linux tool called RingReaper utilizes the io_uring kernel feature to conduct stealthy attacks that bypass modern Endpoint Detection and Response (EDR) systems. io_uring, introduced in Linux 5.1 to enhance asynchronous I/O performance, is being leveraged by RingReaper to evade detection by operating outside of traditional syscall monitoring. Instead of using common system calls like open, read, or connect, RingReaper performs network communication, file access, and privilege escalation through submission and completion rings, leaving very few audit trails. The tool’s design allows it to conduct common post-exploitation activities—including enumerating processes and users, locating SUID binaries for privilege escalation, and transferring files—without triggering standard EDR alerts. This approach highlights a growing gap in Linux security, where advanced I/O mechanisms have not yet been fully incorporated into defensive monitoring strategies. Security researchers warn that the emergence of tools like RingReaper marks a turning point in Linux malware development, showing how attackers can abuse legitimate performance features to evade detection. Traditional EDR tools, which rely on tracing syscall activity, are ineffective against this technique because io_uring operations occur outside the normal syscall path. RingReaper’s use of asynchronous batch processing dramatically reduces the number of observable security events, making it nearly invisible during an attack. Experts recommend that defenders implement monitoring specific to io_uring activity, potentially using technologies like eBPF to track io_uring_enter syscalls and kernel-level ring operations. As this technique gains traction among sophisticated threat actors, organizations should prioritize adding these detection capabilities before RingReaper-style tactics become widespread in Linux-targeted attacks.
Update: Cybercriminals Abuse Windows Driver Signing to Deploy Kernel-Level Malware at Scale
Cybercriminal groups are exploiting Microsoft’s Windows driver signing processes to deploy powerful kernel-level malware, granting them deep control over infected systems while bypassing standard security defenses. Investigations have uncovered over 620 malicious drivers and 80 compromised certificates since 2020, with attackers abusing the Windows Hardware Compatibility Program (WHCP) and Extended Validation (EV) certificates to make their drivers appear legitimate. Many of these malicious drivers function as first-stage loaders, pulling additional payloads from command-and-control servers to build complex attack chains. Threat activity spiked in 2022, with over 250 malicious drivers and dozens of fake developer accounts identified. However, industry response and Microsoft’s revocations have since reduced the volume. Even so, cybercriminals continue to exploit the market for fraudulent EV certificates—often issued to fake companies—making it harder for defenders to detect abuse through traditional certificate validation. On the technical front, malware families like POORTRY and Blackmoon have evolved their techniques, leveraging signed kernel drivers to load unsigned components, disable endpoint protection, and deploy ransomware payloads. Chinese-speaking threat actors are heavily involved, with analysis linking many of the compromised certificates and WHCP accounts to entities based in China. Campaigns like FiveSys have specifically targeted the Chinese gaming industry, abusing Microsoft-issued signatures to evade detection. Microsoft has taken defensive actions, including expanding the Vulnerable Driver Blocklist in Windows 11 and revoking certificates that have been abused, but these measures are reactive. Security researchers warn that unless stronger certificate validation—physical presence verification for EV issuance—is enforced, attackers will continue to exploit this supply chain weakness to deploy stealthy, kernel-level malware across enterprise environments.
