A global threat intelligence provider studied Evilcoder, a project meant for selling malicious tools to execute malicious HNVC modules and ransomware attacks online. Furthermore, it was found distributing XWorm RAT.

What was found?

Under the project, a malware developer was seen selling tools to create malware, hide existing malware, and bypass UAC checks while also advertising powerful Windows RATs.
  • The malware developer posted seven tools with a price ranging from $30 to $150.
  • The developer on the Evilcoder website, however, clarifies that the tools are meant for educational and security testing purposes only, and not for any other activities. 
  • Researchers analyzed Evilcoder project samples and identified a few different variants of XWorm that uses multiple persistence and defense evasion techniques.

Technical analysis

XWorm is capable of dropping several malicious payloads at various points on the system, adding or changing registry entries, and executing commands.
  • Upon execution, the malware sleeps for one second and checks for mutexes, virtual machines, debuggers, emulators, sandbox environments, and Anyrun. The malware terminates itself if any of these conditions aren’t met.
  • XWorm installs itself in the start-up folder and creates a scheduled task entry in the AppData folder.
  • The malware creates an autorun entry in the registry to ensure it will automatically run whenever the system is restarted.
  • After establishing persistence, it contacts the C2 server. The C&C domain system is then notified of new system information through a new thread.
  • It incorporates the Read() routine, which receives AES encrypted commands from the C&C and decrypts them before executing the necessary operations.
The capabilities of XWorm
  • The malware can perform a variety of tasks, including keylogging, screen capture, auto-update, self-destruct, script execution, and ransomware operations.
  • File folder operations performed by the malware are adding and deleting files, hiding and displaying files, and transferring files. 
  • In addition, the malware launches a Hidden Virtual Network Computing (HVNC) attack, which allows it to control a remote machine without the victim's knowledge.


Malware developers with little or no responsibilities can create malicious programs and sell them on various forums for monetary gain. Threat actors are provided with highly impactful and dangerous features, such as ransomware and HVNC modules to attract more customers. You must have a system in place to keep yourself abreast with TTPs of newly launched threats or if there are new attack techniques adopted by existing cybercriminal groups.
Cyware Publisher