Table of Contents
XWORM is observed being distributed via Copy/Paste. XWORM C2 traffic uses a pattern that can be matched. Using Discord webhooks for C2 is not new, but it’s new to me.
Tactical Pause
THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT REFLECT THOSE OF MY EMPLOYER OR ANY AFFILIATED ORGANIZATIONS. ALL RESEARCH, ANALYSIS, AND WRITING ARE CONDUCTED ON MY PERSONAL TIME AND USING MY OWN PERSONALLY-ACQUIRED RESOURCES. ANY REFERENCES, TOOLS, OR SOFTWARE MENTIONED HERE ARE LIKEWISE USED INDEPENDENTLY AND ARE NOT ASSOCIATED WITH, ENDORSED, OR FUNDED BY MY EMPLOYER.
The Flow
I was searching for urlscan.io tasks that use api.telegram[.]com and observed an interesting scan task. It tracks when the windows key is clicked, sends Copy/Paste notification messages via discord. The Copy/Paste landing page is down, but the Copy/Paste next stage is still up.
The scan job can be viewed below.
https://urlscan.io/result/0196c6c0-a3fb-77c4-aa6d-90f3e2ba3baf/#summary
The snips below can be viewed here:
https://urlscan.io/responses/b3754b251a1bf630ed03ffb38286ef4697e2c7bbe0b9ed2d6f3f6f9976e26254
The Copy/Paste command uses the POST method, and passes the decryptKey parameter. If you try to access the resource with the GET method, you’ll get a “Method not allowed” response. If you don’t include the decryptKey parameter, it’ll return an error message. This is a unique anti-analysis technique. This Any Run session shows the responses for bad requests: https://app.any.run/tasks/7c56373c-caef-4c55-8fe9-79d0cb84a466.
In addition to that, this is the first time I’ve observed a threat actor use a Discord webhook for event notifications. Intel471 discusses it here: https://intel471.com/blog/how-discord-is-abused-for-cybercrime, and Cisco Talos discusses it here: https://blog.talosintelligence.com/collab-app-abuse/. It might not be new, but it’s new to me.
Even though the kicklive[.]cx domain is down, I was able to retrieve the payload from the veri.blackjack[.]lol resource and run it in the following Any Run session: https://app.any.run/tasks/6f71a29e-0bb6-4bc9-aada-f8311ca30143?p=68242b119537c303b9da947e. Any Run flagged it as XWORM.
I reviewed the Connections tab and observed PowerShell make the connection to 104.194.144[.]105:7000 as seen below.
The IP was marked as XWorm by Gi7w0rm.
https://threatfox.abuse.ch/ioc/1516973
I reviewed the Network stream and observed a pattern. The first bytes of the payload is ASCII numbers divisible by 16, and that is followed by a null byte. In addition to that, the payload length is the ASCII number, plus the amount of bytes (including the null byte). When it is 16, the length will be 19. I assume this is used to signal to the receiving end how many bytes to expect. The snip below shows the Network streams.
This pattern can be monitored using Suricata, and YARA. The rules section shows the Suricata rule and YARA rule that could be used. The Suricata rule checks that the content starts with 31 36 00, and is exactly 19 bytes long. The YARA rule matches 31 36 00 followed by 16 bytes.
For this Copy/Paste kit that is used, I observe they use the unique filename “refrence.html” as observed here: https://urlscan.io/search/#filename:%22refrence.html%22. You can monitor this activity using the masq-monitor tool here: https://github.com/MalasadaTech/masq-monitor. A masq-monitor query config to monitor this in the masq-monitor Query Config section below.
Summary
XWORM is observed being distributed via Copy/Paste. XWORM C2 traffic uses a pattern that can be matched. Using Discord webhooks for C2 is not new, but it’s new to me.
Rules
Suricata:
alert dns any any -> any any (msg:"Discord Webhook Domain - DNS Query ptb.discord.com"; dns.query; content:"ptb.discord.com"; nocase; sid:1000016; rev:1;)alert tls any any -> any any (msg:"Discord Webhook Domain - TLS SNI ptb.discord.com"; tls.sni; content:"ptb.discord.com"; nocase; sid:1000017; rev:1;)alert http any any -> any 443 (msg:"XWorm ClickFix Command Detected - POST to /decrypt with decryptKey, Port 443, User-Agent curl"; flow:to_server; http.method; content:"POST"; http.uri; content:"/decrypt"; http.request_body; content:"decryptKey"; http.user_agent; content:"curl"; nocase; startswith; classtype:trojan-activity; sid:1000003; rev:2;)alert tcp any any -> any any (msg:"XWorm TCP Payload Detected - Starts with 31 36 00, Length 19 Bytes"; flow:established; content:"|31 36 00|"; depth:3; dsize:19; classtype:trojan-activity; sid:1000001; rev:1;)YARA:
rule XWorm_Payload_31_36_00_19_Bytes {
meta:
description = "Detects XWorm TCP payloads starting with 31 36 00 followed by 16 bytes (total 19 bytes)"
author = "YourName"
date = "2025-05-14"
strings:
$xworm_signature = { 31 36 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? } // Matches 31 36 00 followed by 16 arbitrary bytes
condition:
$xworm_signature at 0 // Ensures the pattern is at the start of the payload (offset 0)
}masq-monitor Query Config
copy-paste-kick-bullx:
days: 7
default_tlp_level: clear
description: This is a report of Kick and Bullx masq sites using the Copy/Paste
technique.
description_tlp_level: clear
frequency: Daily
frequency_tlp_level: green
last_run: '2025-05-15T17:10:22.287892'
notes:
- text: This is a report of Kick and Bullx masq sites using the Copy/Paste technique.
tlp_level: clear
platform: urlscan
priority: High
priority_tlp_level: green
query: filename:"refrence.html"
query_tlp_level: red
references:
- tlp_level: green
url: https://malasada.tech/copy-paste-technique-used-to-deliver-xworm/
- tlp_level: green
url: https://github.com/MalasadaTech/defenders-threatmesh-framework
- tlp_level: red
url: https://github.com/MalasadaTech/defenders-threatmesh-framework/blob/main/pivots/P0401.006.md
tags:
- working
tags_tlp_level: green
titles:
- title: Kick and Bullx Copy/Paste Masqs
tlp_level: clearIOCs
kicklive[.]cx
kicklive[.]cx/cf
veri.blackjack[.]lol
veri.blackjack[.]lol/decrypt
104.194.144[.]105
104.194.144[.]105:7000