A new XWorm wave is described as multi-technology malware, continuing to spread despite the family not being new. The diary notes the Javascript is obfuscated and will drop a PowerShell script in the temporary directory (C:\\Temp\\ps_5uGUQcco8t5W_1772542824586.ps1_) before loading another payload that invokes PowerShell in memory.
The last payload is XOR-encrypted but not fully obfuscated, with a DLL exporting a function called “ProcessHollowing” that acts as a loader and injects the XWorm client into the .Net compiler process. The extracted config lists a C2 address 204.10.160[.]190:7003, an install file named USB[.]exe, an AES key value, a mutex, and the version XWorm V6.4, with IOCs including several file hashes and names such as payload[.]exe (XWorm) and MAD[.]dll.
The author notes the C2 IP address is the same as in a previous diary, framing this as part of an ongoing XWorm campaign. Published on 4 March 2026, the post links to a Malpedia entry and a prior SANS ISC diary. According to Xavier Mertens.