Security News

Cybersecurity news aggregator

MEDIUM Attacks SC Media

Hackers use PyInstaller to hide XWorm malware

pyinstallermitre-ta0001mitre-ta0002mitre-t1566mitre-t1059
  • What: Hackers use PyInstaller to hide XWorm malware
  • Impact: Malware is disguised as legitimate software using a developer tool, evading detection
Read Full Article →

Malware Hackers use PyInstaller to hide XWorm malware May 15, 2026 Share By SC Staff (Adobe Stock) An attack leveraging the legitimate developer tool PyInstaller to conceal XWorm malware has been discovered by researchers at Point Wild, HackRead reports. The attack begins with deceptive emails or fake software updates containing a seemingly harmless file. This file is then bundled with malicious code using PyInstaller, a tool developers use to create executable applications from scripts. In this scenario, PyInstaller is repurposed as a delivery mechanism for the XWorm malware. Once the victim opens the file, a compiled script runs in the background, evading detection. Researchers found a routine called "_IAT_PHANTOM_FIX" which appears to be dummy code designed to hinder analysis. The malware employs AMSI Memory Patching to disable Windows' threat scanning capabilities, allowing it to unpack its main payload. This payload is encrypted and hidden within the file, later unscrambling itself and hiding in the %LOCALAPPDATA% folder under a deceptive name, "Win.Kernel_Svc_AJ8iOw.exe," while also being marked as a hidden system file. Version XWorm V7.4 then establishes a connection to a remote server using an AES secret key, enabling attackers to steal passwords, access files, activate webcams, launch DDoS attacks, or gain full remote control of the compromised device. Source: HackRead SC Staff Related Malware Fake job interviews used to deploy JobStealer malware SC Staff May 14, 2026 The campaign involves scammers posing as recruiters and inviting victims to online interviews via custom platforms that mimic legitimate services like Cisco Webex. Malware New CRPx0 malware campaign uses OnlyFans lure for crypto theft and ransomware SC Staff May 13, 2026 The CRPx0 campaign, analyzed by Aryaka Threat Research Labs, uses a malicious zip file containing a shortcut that appears to lead to free OnlyFans accounts. Malware Operation SilentCanvas: Attackers use .jpeg files to deliver malware SC Staff May 13, 2026 Attackers are weaponizing .jpeg files to deliver PowerShell payloads, trojanize ScreenConnect, and establish persistence on target systems. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Adware You can skip this ad in 5 seconds

Related Articles

MEDIUM NCSC-2026-0049 [1.00] [M/H] Kwetsbaarheden verholpen in n8n NCSC Netherlands HIGH Flaws in four popular VS Code extensions left 128 million installs open to attack CSO Online CRITICAL UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor The Hacker News CRITICAL SloppyLemming Targets Pakistan and Bangladesh Governments Using Dual Malware Chains The Hacker News
Read Full Article → ← Back to News

Share this article

Twitter Facebook LinkedIn