Security researchers from SonicWall and SOCRadar have noted that cracked versions of this tool are widely available on platforms like GitHub, leading to its rapid proliferation among various threat actors. Malicious PDF delivering Xworm 3.1 payload - SonicWall
The engine is the heart of Xworm 3.1. Low‑level packet manipulation and raw socket I/O are written in , guaranteeing memory safety and high throughput (up to 12 Mpps on a 32‑core server). For flexibility, the framework embeds a Python 3.12 interpreter that executes user scripts via a sandboxed API, preventing privilege escalation or resource exhaustion. xworm 3.1
Xworm 3.1 is a malicious Remote Access Trojan (RAT) designed to gain unauthorized, full control over infected systems. It is commonly distributed through phishing emails containing malicious PDF attachments or by abusing legitimate Windows tools like the Software Licensing Management Tool ( slmgr.vbs ). Security researchers from SonicWall and SOCRadar have noted
Once active, the attacker has access to a dashboard (usually a Windows Forms app written in VB.NET or C#). The plugin list for version 3.1 includes: For flexibility, the framework embeds a Python 3