As of late 2025, XWorm 3.1 remains in active circulation, but its source code has been leaked multiple times, leading to fragmented "custom builds." The original author(s) likely shifted to a new project, but variants like XWorm RAT v3.2 (unofficial) and DiamondRAT (a rebrand) are emerging.
Modern XWorm campaigns employ multi-stage, highly deceptive infection chains to evade next-generation antivirus (NGAV) and EDR solutions. xworm 3.1
Captures keystrokes, capturing passwords, emails, and sensitive documents. As of late 2025, XWorm 3
It often employs technique like process hollowing to inject malicious code into legitimate processes (such as MSBuild.exe ) to hide from security solutions. As of late 2025
Deploying EDR solutions is critical to detect the malicious behaviors associated with XWorm, such as code injection into legitimate processes and suspicious PowerShell execution.