top of page
Search

Hackers Exploit Excel to Hide XWorm 7.2 in JPEG, Hijacking PCs

  • Feb 23
  • 2 min read

Background


  • The XWorm malware has been around since 2022, but the latest version 7.2 surfaced on Telegram marketplaces in late 2025 and early 2026.

  • Attackers are using social engineering tactics to lure victims into opening malicious Excel attachments in emails disguised as business communications.


Technical Details


  • The Excel file exploits an old vulnerability (CVE-2018-0802) to run a hidden script (HTA file) that downloads what appears to be a normal JPEG image.

  • However, the JPEG file contains the actual XWorm malware, hidden between "BaseStart" and "BaseEnd" markers.

  • The malware uses a technique called "process hollowing" to inject itself into a legitimate Windows process (Msbuild.exe), making it appear as a trusted system tool.

  • XWorm then connects to a control server at berlin101.com using port 6000 and AES encryption to exfiltrate data.


Capabilities of XWorm 7.2


  • XWorm is a modular Remote Access Trojan (RAT) that can be expanded with over 50 different plugins.

  • It can steal sensitive information such as Wi-Fi keys, passwords, and browser cookies.

  • The malware can also spy on victims through their webcam and log keystrokes.

  • Additionally, XWorm has built-in ransomware and DDoS attack capabilities.


Expert Insights


  • The campaign is not using any breakthrough techniques, but the sophisticated assembly of known components makes it effective.

  • The hackers are exploiting the fact that legacy Office exploits still work at scale.

  • The choice to hide XWorm inside the Msbuild.exe process is a deliberate attempt to blend in and evade detection.

  • Experts warn that XWorm has evolved beyond a typical RAT, with its advanced features and modular architecture.


Recommendations


  • Keep software and systems up-to-date to mitigate known vulnerabilities.

  • Exercise caution when opening unexpected attachments, even from seemingly legitimate business contacts.

  • Use robust security solutions and employee security awareness training to protect against such social engineering attacks.


Sources


  • https://hackread.com/hackers-excel-exploit-xworm-7-2-jpeg-files-hijack-pcs/

  • https://x.com/HackRead/status/2025906119630069988

  • https://www.socdefenders.ai/item/f93fb8e1-56ff-4b6d-bbf1-9d185e9b79fd

  • https://www.linkedin.com/posts/cyber-news-live_hackers-use-excel-exploit-to-hide-xworm-72-activity-7431722871497846784-p2Wb

  • https://www.reddit.com/r/InfoSecNews/comments/1rcfjho/hackers_use_excel_exploit_to_hide_xworm_72_in/

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page