The malware actively attempts to disable Windows security features. It can patch the AmsiScanBuffer() function in memory to bypass the Antimalware Scan Interface (AMSI) and deactivate Windows Event Tracing (ETW) by targeting EtwEventWrite() , effectively hiding its activity from security logs. It also modifies Microsoft Defender settings, adding its own file paths and processes to exclusion lists to prevent scanning.
and schedules a task (often named "Nafifas") to run every minute. It checks for antivirus products in the root\SecurityCenter2
: In a notable campaign, attackers deployed XWorm alongside AsyncRAT as initial-stage malware to establish footholds, then delivered ransomware payloads created with the leaked LockBit Black builder. xworm 3.1
If you suspect an XWorm 3.1 infection:
: Silently records all keystrokes to steal passwords, financial information, and personal messages. The malware actively attempts to disable Windows security
What makes XWorm 3.1 particularly dangerous is its Swiss-army-knife functionality. It combines the stealth of an information stealer with the destructive control of a botnet agent. Remote Access and Control (RAT)
This version is noted for its modular architecture and stealthy execution, often utilized in high-profile phishing campaigns like MEME#4CHAN. and schedules a task (often named "Nafifas") to
(based on version 3.1 documentation and analysis):